If you’re thinking of becoming self-employed or already run a small business, you need to know about the European General Data Protection Regulations (GDPR) which comes into effect on 25 May 2018. I’ve put together this post.
Please do check out facts for yourself, as although I have done my best to curate complicated information, you need to ensure you’re complying according to your business’s requirements.
The GDPR will apply to any business that processes the personal data of EU citizens, including those with fewer than 250 employees and also includes customers, suppliers, and partners. Individuals will have more rights on how businesses use their data. In some instances, they have the ‘right to be forgotten’ if they no longer want you to process their data and you have no other legal grounds (for example the individual is no longer a customer, so your contract with them no longer gives you a legal right) to keep the data. Failure to comply will result in harsh penalties.
The government has confirmed that Brexit will not affect the GDPR start date or its immediate running. It’s also confirmed that post-Brexit, the UK’s law (or a newly-proposed Data Protection Act) will directly mirror the GDPR.
Questions you need to ask yourself:
- How often does your business deal with personal data? This includes your customer data and supplier data. Past and present employees. And is there anything else you’ve collected, that doesn’t fall into any of these groups? If you’re collecting any of this data routinely, you’ll need to comply with the GDPR, whether the data is on a spreadsheet, on your computer network, your mobile phone, or in the cloud.
- Does your business currently falls under the Data Protection Act (DPA)? If so, the Information Commissioner’s Office (ICO) has confirmed that the GDPR will apply to you.
ARE YOU A DATA CONTROLLER OR DATA PROCESSOR?
The GDPR will apply to data ‘processors’ and ‘controllers’:
- Data processing is defined as any operation performed on personal data, such as storing, collecting, recording, organizing, sharing, erasure, consulting, etc. For data processors, the GDPR carries a specific set of legal obligations some of which will require you to:
- keep up-to-date personal data records and details of your processing activities and categories, including details of your ‘data subject categories’ (customers, employees, suppliers, ), the categories of processing carried out (transferring, hosting, altering, receiving, disclosing, etc.)
- keep details of any transfers to countries outside the European Economic Area (EEA)
- implement appropriate security measures, which may include pseudonymization and encryption, and prove you’re regularly testing these measures
- be ready with a general description of the technical and organizational security measures you keep in place
- A controller is a data processor too, but they will also decide the purpose of the data processing activities.
For example, if you’re a small business offering a coaching or therapy service and your customer details are managed using a contacts management app on your phone, hosted by a third party, this would make you the controller and the third party the processor. If on the other hand, you manage all of your data on a spreadsheet you’ve built yourself, you’re both controller and processor.
All data controllers are by nature also processors and therefore subject to the same basic requirements. As a controller, the GDPR places obligations on you and your business to ensure any contracts you have with processors are compliant.
- Explicit consent means a very clear, specific statement of consent.
- Keep your consent requests separate from other terms and conditions.
- Name any third parties who will rely on the consent.
- Make it easy for people to withdraw consent (and tell them how).
- Keep evidence of the consent (who, when, how and what you’ve told people).
- Use a positive opt-in (don’t rely on pre-ticked boxes or default options).
- You’ll need explicit consent from individuals whose special category personal data you want to process, although Article 9 sets out some exceptions to this rule.
- Personal data:
- Things like an IP address (the unique string of numbers that identifies every Internet-communicating computer) count as personal data.
- There are lots of other things though that will fall into the personal data category, so make sure you’ve checked the GDPR itself. Article 9 of the GDPR defines ‘special categories of personal data,’ and this includes personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership. They also cover genetic data, biometric data, data concerning health and data concerning a person’s sex life or sexual orientation.
- You’ll need to demonstrate an understanding of the types of personal data (for example name, address, email, bank details, photos, IP addresses) and sensitive (or special category) data (for example health details or religious views) you hold, where they’re coming from, where they’re going and how you’re using that data.
- Focus on your lists:
- Does your business hold HR records, customer lists, and contact detail records, for example? Most do. This is confirmed by the ico.org.uk, who states; “You can assume that if you hold information that falls within the scope of the Data Protection Act (DPA), it will also fall within the scope of the GDPR.”
- Your checklist needs to take into account past and present employees and suppliers as well as customers (and anyone else’s data you’re getting hold of, storing and using).
- How data is captured: Whether it’s you keeping a spreadsheet of customer contact details, or an automated digital capture system, the GDPR will apply.
- Your supply chain:
- You should ensure that all suppliers and contractors are GDPR-compliant to avoid being impacted by any breaches and consequent penalties.
- You’ll also need to ensure you have the right contract terms in place with suppliers (which puts important obligations on them, such as the need to notify you promptly if they have a data breach).
- Create fair processing notices. You could ask suppliers and contractors to complete a form that confirms the security measures they have in place, or you could conduct an on-site visit.
- If their existing measures aren’t sufficient, you should review your relationship to ensure they are compliant with GDPR.
- Where your suppliers (as processors) are processing personal data on your behalf (as a controller), you must update your contracts with them to include some mandatory clauses that can be found in Article 28 (3) of the GDPR. These ensure that processors are contractually obliged to provide GDPR-compliant data protection standards.
- Security measures: You’ll need to update these to be GDPR-compliant, and if you don’t currently have any, get them in place. Broad use of encryption could be a good way to reduce the likelihood of a big penalty in the event of a breach.
- Access request: Subject Access Rights are changing, and under the GDPR, citizens have the right to access all of their data, rectify anything that’s inaccurate and object to processing in certain circumstances, or completely erase all of their personal data that you may hold. Each request carries a timeframe and deadline of one month (which can only be extended in mitigating circumstances), from the original date of the request.
- Fair processing notices: These are about giving people clear information about what you’re doing with their data. Your fair processing notice should describe:
- why you’re processing their personal data (the purpose), including the legal basis you have, such as consent.
- the categories of recipients you may be sending the personal data to (customer, employee, supplier, ).
- how long you’ll be holding onto the data (the ‘retention’ period’), or the criteria used to determine these time periods.
- you’ll also need to notify individuals of the existence of their data rights.
IMPLICATIONS OF GDPR ON A SOLE TRADER THERAPIST OR COACH
Any information held should not:
- be linked to further details of clients
- contain any images of clients
- be shared with others
As a coach/therapist, know what information you process, identify and mitigate risks and ensure you embed privacy and transparency into your processes.
If information is held on paper there is no requirement to register with the GDPR. For those that hold information on a computer there is still no need to register as long as any profit is not used to enrich others and only:
- process information necessary to establish or maintain support
- share client information with client consent
- keep the information as long as necessary
Information Commissioner’s Office (ICO) website links
- The ICO has a dedicated ‘in-progress’ page on its website covering consent, but guidance is still in draft form – https://ico.org.uk/about-the-ico/ico-and-stakeholder-consultations/gdpr-consent-guidance/
- ICO page for organisations – https://ico.org.uk/for-organisations
- ICO page for steps to take now – https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf
- Key definitions of the Data Protection Act – https://ico.org.uk/for-organisations/guide-to-data-protection/key-definitions/
The EU General Data Protection Regulation (GDPR) portal: https://www.eugdpr.org/