Business Law & Compliance
Ensuring your small businesses is legally compliant with GDPR
5 min read
14 June 2017
May 2018 will see the implementation of GDPR. This new legislation will change businesses’ legal responsibilities in the management of data – and being legally compliant will help you avoid some hefty fines.
GDPR is currently viewed as the biggest change to data protection in 20 years, and not being legally compliant will end in substantial fines.
Depending on the level of a breach, fines can be up to €20,000,000 or four per cent of the total annual global turnover based on the preceding financial year. And we’re all aware of the effects on PR for those organisations who have recently been in breach of the data protection provisions.
So who will the GDPR impact? The regulations will apply to businesses who fall into two categories: controllers and processors. Similar to the UK Data Protection Act (DPA), controllers dictate how and why personal data is processed, and processors act on behalf of the controller’s e.g. an employer may be the controller (and possibly a processor as well) who uses an external payroll service provider (the processor).
The GDPR will place specific legal obligations and liabilities on processors. For example, these businesses will need to maintain records of personal data and processing activities. More obligations will also be placed on controllers so they will need to ensure that contracts with processors comply with the new legislation and provide adequate rights e.g. to audit and indemnities.
Whilst the principles of responsibility for handling personal data are similar to the DPA, there are some additional requirements that bosses need to be aware of to ensure they truly are legally compliant – the most significant of which being individual company accountability. Take HR files for example. Managers need to be aware that the GDPR will apply to personal data held about employees and contractors.
Any data that can be used to identify a person, whether that’s gender, culture, mental health, even IP addresses are all data that is considered to be personal. This broader definition of data also includes sensitive personal data such as genetic and biometric data that can be used to identify someone.
Another significant development of the GDPR involves the issue of consent, specifically where it validates the use of personal data. Bosses need to ensure that they’re clear when seeking consent with detailed information explaining how they plan on using the data. It’s important to note that a person’s silence or inactivity will no longer be considered as valid consent – this is crucial if you want to be legally compliant.
As a business, that means obtaining physical approval to hold or process the individual’s data for stated reasons unless specific exceptions apply. To ensure that your business is legally compliant GDPR here’s our top five things to consider:
1) Appoint a data protection officer. Under the new legislation some businesses will be required to have one. This includes public authorities and those whose core activities require regular data monitoring or are processing special category data.
2) Is your privacy protected? Measures such as Privacy Impact Assessments (PIAs) are essential. As controllers, PIAs will assess where privacy risks exist and how to minimise them.
3) Are you ready for a data breach? It’s important that your business has appropriate training and systems in place that will manage a breach and comply with notification requirements set out by the GDPR. This includes a requirement to notify your local data protection authority within 72 hours of discovering a data breach.
4) Can you apply the right to be forgotten? Ensuring your business complies with the right to be forgotten if the data subject requests is vital.
5) Have a clear policy and train staff on holding and storing data. Businesses need to ensure that they comply with the more restrictive principles of not holding data longer than necessary and to not change the use of this data from the original purpose specified.
Whilst it might seem as though you have plenty of time, the reality is that a lot has to be done between now and May 2018. Controllers and processors need to understand what personal data they hold and how it’s being used. Make sure your business is protecting privacy by design internally and externally and that contractual provisions are in place that will ensure compliance and that adequate indemnities exist.
Stephen Foster is partner in the HR and employment team at SAS Daniels