In Why GDPR? I explained what the General Data Protection Regulations are aiming to achieve because understanding its underlying principles and rationale is key to protecting data appropriately in the new regulatory environment.
The principle of fairness and transparency runs through every aspect of data handling. We need to reconsider our approach so as to only collect as much information as we need to perform the service we’re delivering; ensure data is kept appropriately secure; that it is held no longer than necessary for the purposes for which it was collected; and we must ensure the data is accurate.
One simple way to deal with data accuracy is to organise a way for your contacts to have sight of the basic contact and marketing details you hold on them so they may update the details directly themselves.
While the transition to the new regime involves a substantial effort for many small businesses who are time poor, it will ultimately help us all to run better businesses with appropriate safeguards in place to protect others’ data.
However, given we now have about 2 weeks to go till 25 May, what should you be doing to work towards GDPR compliance? In an ideal world we would have all used the last 2 years to prepare for GDPR, but few small businesses were aware of GDPR until recently, so here are some steps you might want to take if you’ve only just decided to take action.
The starting point is to identify what type of personal data you hold, where you hold it, and why. Who has access to it? This is a major exercise but if you’ve got limited time in which to do it, focus on the big picture. Most businesses will have customers who have bought from them, prospective clients who have made enquiries, and a mixed bag of other contacts such as business card and other contacts.
A second category of contacts whose personal details you hold will be past and present employees and freelancers, and also past job candidates.
There will also possibly be a number of suppliers of services – call answering providers, external agencies you might use for web development and so on.
Once you’ve taken stock and done your mini audit you should have a better understanding of the information you’re holding about your clients, prospects, business card contacts, employees, contractors, suppliers and so on. In the process you will begin to notice who has access to your subscribers’ data. Depending on the nature of your business, it may be useful to look at your password lists to remind you of apps you use.
It’s a fundamental principle of any outcome focused regulation that we should be able to demonstrate the reasons for our decisions. So, having a system in place where you can document your reasons is key. If the Information Commissioner’s Office ever needs to look into your business they will ask to see the audit records, and will expect you to have a spreadsheet ready to explain your processing activities.
If you’re doing a rushed audit to get your privacy notice sorted quickly do plan in some time in the coming months to go back over the audit to update it. Compliance isn’t a one off event for anyone.
If you process sensitive data such as about people’s racial or ethnic origins, political opinions, religious or philosophical beliefs, data concerning health or a person’s sex life or sexual orientation do you need to obtain explicit consent? What will you do about past data and for the future? They involve different issues. Think it through, and document your situation, and if you need guidance, get proper legal help.
Data Protection Officer?
You will also need to make some incidental decisions such as whether your business is required to appoint a Data Protection Officer and to do a Data Protection Impact Assessment. As a general rule, if you’re a small business and you’re not doing any profiling or processing of data on a large scale it’s unlikely you’ll need either of these.
However, as businesses are so different in terms of their size and processing activities, and the rules are still changing, even now, I suggest you look on the ICO’s website to decide whether you need to appoint a Data Protection Officer or to do a Privacy Impact Assessment, and then document your decision.
As already mentioned, before you can draft your privacy notice, an important decision you need to make is the lawful grounds for each of the processing activities you have identified. For most businesses the choice will be between
- performance of contract;
- legal obligation to which the controller is subject;
- legitimate interests.
If you decide that you have a legitimate interest to continue to email your list of contacts, document your reasons for this. Like that you will have an audit trail to remind you why you took the decisions you took months after the event when memories will have faded.
Once you’ve done all this you should decide what steps you will have to take to comply with GDPR and put in place a prioritisation plan. It’s highly unlikely that you will be able to do everything in one go, so you’ll need to decide how to focus your available resources.
Particularly noteworthy for GDPR compliance is the need to get processor contracts in place with non-employees or other third parties who process data that you’re responsible for as “controller”. The GDPR rules require you to have a written agreement with your third party processors (for example, payroll provider, freelancers, software providers, as well as apps you may be using). The terms that must be included in the agreement are prescribed. Make a list of all the individuals and sites you use, and plan from there.
There will be some processors who need to sign your processor agreements more urgently than others depending on the data to which they have access and where they’re located. Get a few contracts ready to send out for signature.
If your processors are based in countries outside the EEA then you have additional obligations, such as to find out whether the country they’re located in has an adequacy finding. Only a dozen or so countries are considered adequate and the USA isn’t one of them. So, for US entities like Mailchimp, you’ll need to find out if the organisation is certified under the Privacy Shield and add this information to your Privacy Notice. If you cannot find any other basis then introduce a contract using the Model Clauses provided by the EU.
While in theory you can introduce a contract and continue your current data transfer activities, the GDPR principles should prompt you to rethink your current practices.
For example, using a one man band freelancer in India who has access to your entire database of contacts might be a questionable decision. You may want to reconsider whether you can really justify continuing to give access to so much data to someone based in an inadequate jurisdiction. However, if you’re committed to using that resource for now then put in place the Model Clauses and make a note to revisit this decision in the near future.
Using these documents with a freelancer who is not worth suing is arguably not an appropriate safeguard long term. So, you should reconsider your resourcing policy to gradually change the nature of the responsibilities you outsource to jurisdictions outside the EEA.
Certainly if you’re choosing new freelancers this might be an ideal opportunity to use one within the EEA.
For some businesses this use of freelancers or cloud technologies may present the biggest risk. See my blog post 3 Steps Every Business Will Need To Take To Comply With GDPR
If you use an appropriate provider for your templates you should be able to get a decent privacy notice in place to send to your freelancers and employees, and another one to post on your website. Then send an email to your subscribers to notify them of your new privacy notice and if you get a chance, give them a way to update their marketing preferences.
As for cookies, we use this neat solution for cookies on our website. There are a few cookie issues which I need to consider more deeply for our site, and so this is something I will be revisiting, and I’ve made an appropriate note in our risk management policy about it.
In conclusion, while there is a lot to do to comply with GDPR, it is possible to begin working towards compliance even now at this late stage. If you’ve not yet addressed these GDPR issues in your business and want help, Azrights is there to support you.
In my final blog post GDPR Marketing – Consent vs Legitimate Interest I’ll be covering marketing and how to set your strategy for the future so you can build your marketing lists in a GDPR compliant way. It’s a real opportunity for your business to sharpen its approach to marketing.