Nigel Miller is a partner with City law firm Fox Williams LLP and will be speaking at the GDPR Conference Europe on 27thApril. Mr Miller will be discussing how GDPR will affect our individual rights.
Information You Hold
Typically, the data which SME’s hold includes employee, supplier, prospect and customer records. The GDPR will apply where this data is held on computer or in an organised hard copy file.
You should document what data you hold, where it came from, how you use it and with whom you share it. Doing this will also help you to comply with the GDPR’s “accountability” principle; this requires businesses to be able to show how they comply with the data protection principles, for example by keeping records of their data handling and having effective policies and procedures in place.
You should review your current privacy policies and plan to make any necessary changes in time for the GDPR.
The GDPR requires this information to be provided in concise, easy to understand and clear language.
You should review how you are seeking, obtaining and recording consent and whether you need to make any changes.
Consent has to be a positive “opt-in” indication of agreement to personal data being processed; it cannot be inferred from silence, pre-ticked boxes or inactivity. If you rely on individuals’ consent to process their data, you must make sure it will meet the new higher standards required by the GDPR.
If you collect information about children (in the UK this will probably be defined as anyone under 13) then you will need a parent or guardian’s consent.
On the whole, the rights individuals will enjoy under the GDPR are the same as those under the current law but with some significant differences. In particular, there are potentially significant new rights, including a “right to be forgotten” and a right to data portability. The new rights are somewhat complex and there may be practical problems in exercising and enforcing them. As a result, they may not deliver the benefits that consumers expect.
The main rights are:
Compliance with these rights may be complex and businesses need to review and implement systems to enable them to be able to meet these new requirements.
Some of the rights depend on the basis of the processing. For example, the data portability right only arises where the processing is based on the individual’s consent or for the performance of a contract.
The rights are not always absolute; for example, the right to be forgotten may not apply where data are required for historical, statistical or scientific research, for public health reasons, or for exercising freedom of speech.
In privacy policies and the like, you have to inform people of these rights under the GDPR.
This is a good time, therefore, to check your procedures and to work out how you would react if, for example, someone asks to have their personal data deleted, or asks you to stop sending them marketing material.
Exceptions for SMEs
Broadly the GDPR applies to all businesses, irrespective of size. There are some exemptions for SMEs with fewer than 250 employees; for example, SMEs do not need to maintain a record of occasional data processing. One small piece of good news is that it will no longer be necessary to file an annual notification of data processing with the ICO.
With a little over a year to go, it is important to take stock of your current data protection compliance, to consider which of the new obligations are likely to impact on you and to prioritise accordingly.
With the potential for high fines, as well as the fact that good data protection practice helps build trust and can act as a competitive differentiator, businesses need to start work now on becoming compliant with the GDPR.