Updated May 2018
The issue of data protection has been everywhere recently following the furore over Cambridge Analytica and Facebook's wider approach to data protection. (Out of the loop? Here's a summary of what's happened.)
This news got us all thinking about our 'data footprints' - or how our data is used, shared, stored, and processed by companies and other organisations.
But it's not just the Facebooks and Googles of this world that hold personal data.
From supermarkets with thousands of employees to small cafes and even individual freelancers, data is collected by almost every type of business and trader.
And if you collect, store or process personal data, then you need to follow data protection rules.
From May 25th 2018, the laws you need to follow (if you manage the data of EU citizens) are the General Data Protection Regulation (GDPR).
This scary-sounding regulation is a big deal for businesses in the UK. And if you're not sure if you're be affected by GDPR, you probably are.
What personal data do you collect?
You may not collect personal data to the same extent as companies like Amazon, Google, and Facebook, but you may be surprised by the amount of data you actually hold.
Personal data includes:
- Employee data. The personal information of your staff, including addresses, contact details, emergency contact information, medical information, and bank account details.
- Customer or client data. Again, this might include contact details (including email addresses), purchase history, IP addresses (which can be used to determine someone's rough location), and marketing information.
- Potential customers. Even if someone doesn't make a purchase in your establishment, they may open an account or download a loyalty app. The same applies for visitors to your website who don't actually make a purchase but might sign up for an account or subscribe to an email newsletter.
- Potential employees. You collect data about candidates during the recruitment process — CVs, contact information, and contact details for their referees.
If you're not sure whether data you hold counts as personal data, ask whether or not or may be used to identify a person — either directly or indirectly, particularly when combined with other data you hold.
So what now?
If you collect any of the data we've listed above (or any other types of personal data), you're affected by GDPR. That means you need to comply with these data protection regulations, or risk significant penalties.
And with consumer awareness of data protection rules rising all the time, you really can't afford to ignore them.
The GDPR is an intimidating piece of legislation that even legal experts are struggling to get to grips with. We can't give specific GDPR tips for your individual business, but we can offer some general information to help you get started.
First, understand when and how you collect personal data. Detail exactly how, when and where you collect personal data. The bullet points above are a good starting point. Think about your current approach to deleting and updating these types of personal data, and how they're stored. Make a note of any other service providers that you share this data with, such as cloud storage services, accountants, or other software providers. You're responsible for checking that these 'data processors' comply with the GDPR.
Improve data security. Think about potential sources of data breaches — either deliberate or accidental. Implement a stronger password policy, and check that any software providers are compliant with data protection rules. Consider potential risks to data security, and how you'll respond to data breaches (there are new rules you need to follow).
Change how and why you ask for personal data. Every time you collect personal data, you must have a lawful basis for processing it. Take a look at the list on the Information Commissioner Office's website to find out which could work for you.
One of these conditions for processing is consent — in other words, an individual gives you the OK to store, use, or share their personal data.
Consent is used by many companies to gather data for marketing purposes, but as a consumer, it's often not clear exactly what you're consenting to, or that you have to actively opt-out if you don't want your data to be used.
The GDPR changed all that. From May 25th 2018, consent needs to have a positive opt-in (i.e. an empty tick-box), and be explicit, and easy to understand. It must also be as easy to withdraw consent as it is to give it — head over to ICO's website for more detail on the new data consent rules.
An Example of Consent
Previously, at the point of sale, many fashion retailers ask if the customer has an email address so they can send a digital receipt instead of (or in addition to) a paper receipt.
Customers may accept this offer because of the convenience of a digital receipt (they're less likely to lose them), and to reduce waste paper.
But of course, the real reason retailers are asking for an email address is so that they can link the customer's in-store purchases to their email address (and online account, if they have one), giving them more data about customer buying habits — while also adding them to their marketing database.
When the customer accepts the offer an e-receipt, they don't give permission for the company to send them additional marketing emails, but the retailer usually sends them regardless.
Retailers aren't allowed to do this now that GDPR is in force. Instead, they now have a choice when it comes to e-receipts:
1. Send only the e-receipt to the customer — with their consent — and delete their information afterwards.
2. Ask for permission to send an e-receipt, then, separately, ask for permission to send marketing emails. Customers must be able to give consent to these two types of communications separately.
You could ask customers if they'd like to opt in to marketing emails on the receipt email itself — but remember to follow the new GDPR consent rules.
The GDPR brings new data rights for individuals that strengthen their control over their personal data. Here's a summary of consumer rights under the GDPR:
- The right to be informed (about the collection and use of personal data).
- The right of access. You can no longer charge for managing subject access requests, unless the request is unfounded, excessive, or repetitive.
- The right to rectification (of inaccurate or incomplete data).
- The right to erasure (aka the right to be forgotten).
- The right to restrict processing (in certain circumstances).
- The right to data portability. You should allow individuals to move or copy their personal data to other systems safely and securely.
- The right to object (to certain types of processing, direct marketing, and research).
- Rights related to automated decision making and profiling.
This is an intimidating list, but you can account for most of these strengthened rights fairly easily by keeping your data well organised using file types and software that is widely used.
Assign an employee to manage things like subject access requests and rectifying inaccurate data.
Common sense and fairness
GDPR is undeniably a faff for small businesses, but when you stop to think about it, data protection makes sense. We all want to know who's keeping our data and how it's being used, and we all want to be able to quickly and easily correct or delete data that another party holds on us.
We should be able to trust businesses to keep our personal data secure, and only use it for the purposes we consent to.
The GDPR brings more paperwork than small businesses would like, but overall, its main goal is one that we'll all benefit from: giving us more control over our personal data.