I would imagine, unless you’re a lawyer who’s making the megabucks right now off the back of the imminent arrival of GDPR – you’re just as bored of it all as we are. I’m also guessing you’ve had about 30 + emails in the last few days alone asking you to re-subscribe to mailing lists ‘so that you can stay in touch’ – which is probably why you’re now thinking “I should probably do something about that” (and also potentially reading this blog post).
The next big problem you’ve probably found is, you have absolutely no idea where to even start with it all. Despite the idea behind GDPR being that data privacy should be easy for everyone – I’ve yet to read an easy to understand guide about how to make it simple for me to put all of the necessary steps in place so the business is GDPR Compliant. Which is why I’m writing this blog today – simply to give my best understanding of the rules and how you can take steps to try and comply with the laws.
Do bear in mind two things however:
- That law is generally made by comparison – so the first lawsuit will influence the second, which will influence the third and so on. Which is what makes it so hard to give specific guidance on this – the law simply isn’t fully defined yet.
- This is the really important one – I am not a lawyer. I have no formal legal training. None of the following content will constitute as legal advice. It is simply my understanding of the rules as I have read them.
So Where Do I Start With GDPR?
First things first, GDPR is designed to help inform people how data is stored and processed. In it’s simplest form, people must give you explicit consent to collect and use their information. Whether that information is coming from their browser or information they have given to you willingly.
This means the first step should be – take a look at what data you currently hold. Then look at the reason why you hold that information, according to the ICO there are six legal reasons for you to hold information on a person –
- Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
- Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
- Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
- Vital interests: the processing is necessary to protect someone’s life.
- Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
- Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)
For people like you and me, the most important ones from that list will be Consent, Contract and Legitimate Interests.
For someone to give you consent to hold and use their personal information, they must have made a clear and affirmative action. This essentially means they have made a positive action for you to use their data. In the majority of cases, this will be a checkbox on a form which says “yes I’m happy for you to use my data in the following ways”.
For data to be held as part of a contract, you must be able to prove that without holding the data, you will not be able to fulfil a piece of work for that person. For example, we hold personal information about our clients – well without that we would have no way of getting in touch with them to say we’ve done any work for them.
For data to be held as part of a Legitimate Interest, there must be a genuine reason for you to hold that data to aid you in some way. Unfortunately, this is where the point I mentioned above about the first lawsuit defining the rules for everyone else. Having a legitimate interest means different things to different people. For example – we have a legitimate interest in how people use our website because that helps us focus our marketing in certain places and work out what works well and what doesn’t. We don’t collect any specifically identifiable information about people, simply what pages Mr Anonymous visits on our site, how long they spend there, where they came from and where they have left the site.
What Do I Need To Do Next
A lot of the guidance out there seems to be very specifically related to larger organisations. Things like appointing a Data Protection Officer and running training sessions with all of your staff – but how does that apply to small businesses.
Again, according to the ICO relating to appointing a Data Protection Officer.
Under the GDPR, you must appoint a DPO if:
- you are a public authority (except for courts acting in their judicial capacity);
- your core activities require large scale, regular and systematic monitoring of individuals (for example, online behaviour tracking); or
- your core activities consist of large scale processing of special categories of data or data relating to criminal convictions and offences.
Which means, I would say, for smaller organisations there is no need to appoint a Data Protection Officer. Just make it plain and simple who someone needs to contact if they have any questions about their data.
As for running training sessions with Staff, so long as your staff know not to start publishing your clients / customers data in places they shouldn’t – chances are you’ll be fine. It might be worth mentioning to everyone that GDPR is coming into play and that they should be wary about where they store personal details.
What We’ve Done
We have simply looked at all of the places we store our clients data (accounting systems, password management tools) and made sure that they all have GDPR compliant privacy policies (as far as we can tell, they do).
All of the contact forms on our site now have a checkbox to make it explicitly clear how we will process the information.
That’s it really. We’re not doing anything nefarious with our users data and we’re not in the game of big business data processing – so as far as we can tell these steps should be enough to protect us from prosecution. It will be important however to keep an eye on the GDPR landscape over the following few months to see how the law has been implemented and what people are doing in response to it, but for the 25th May deadline, I believe we’re in a fairly steady place.
If you’re unsure whether or not you’re GDPR compliant, then the ICO has published this guide which could be useful. Or if you would like to speak to us to assist with putting any of your GDPR processes in place then get in touch at firstname.lastname@example.org and we would be happy to help as best we can