Here’s how to get started on your GDPR journey.  

A report earlier in the year stated that 24% of businesses in London are not aware of the new General Data Protection Regulation (GDPR). Seeing as you’re reading this blog, we guess that you are! But the same report, from the London Chamber of Commerce and Industry, also found that:

  • 84% are unprepared (just 16% are ready)
  • 21% say that they would like to prepare, but need to find out more
  • 34% say that GDPR is not relevant to their business

Even as more businesses become aware of the legislation it’s difficult to know what to actually do about it. Have you heard different stories about who it will affect, or what it will mean for your business? We can help by providing a practical approach to ensure that you are GDPR compliant.  

GDPR applies to you

Many businesses assume that GDPR will not apply to them. Don’t make this mistake – the regulation is massive in scope and is aimed at all businesses. It’s not just for organisations that process large volumes of personal data; if you process data (which according to the regulation, you probably do), it applies.

The regulation acknowledges that businesses with less than 250 employees pose a smaller risk to data security. However small and medium-size enterprises (SMEs) are still obligated to comply.

In short you need to comply if:

  • Your company captures, stores, or otherwise processes personal data in the UK/EU, regardless of where the individual is from. So, if someone from South Africa provided you with their personal data and it is captured, stored or otherwise processed in the UK/EU, then it is subject to the requirements of GDPR.
  • Brexit will not affect GDPR in the UK. The requirements of GDPR are being written into UK law through the new Data Protection Act 2018, which comes into force on the 25th May alongside GDPR.

So as a business you need to get on board. Let’s see what data you hold.

What is personal data?

Firstly, understand exactly what ‘personal data’ you hold. The GDPR’s definition is broad and encompasses a range of information and categories. It includes any information relating to an individual, who in reference with an identifier, can be directly or indirectly identified.

So what does this mean?

Firstly there is the instantly recognisable personal data that most people are familiar with, such as passport or driving license information, your contact details, etc. These are pieces of information that relate directly to you and are classed as Personally Identifiable Information or PII.

Then there is less obvious data such as; ‘The young girl with brown hair and green eyes who drives a red ford fiesta and works in the accounts department at ABC solicitors’ This is still personal data and is important, because it can be used to indirectly derive someone’s identity.

On top of this, the regulation identifies special categories of personal data that require special treatment to ensure better protection. These categories are classed as having a higher degree of sensitivity, with a higher risk of harm or distress if inadvertently processed or disclosed.

These special categories are:

  • Racial or ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Trade union membership
  • Processing of genetic data or biometric data
  • Health or data concerning a person’s sex life or sexual orientation

View ourPersonal Data Infographic

Now you should have a clearer understanding of what types of personal data your business holds – the first step in your data discovery.

Audit your data

Next, you need to document the data you hold and where it came from. At the same time, identify why you have it and how you use it.

For example, are you tracking orders? Emailing previous customers? Is the information shared with any 3rd parties, such as product suppliers or delivery companies? The audit is crucial for data transparency and will help you throughout the GDPR process.

Data held

Data source

Reason for data

How you use it

Customer address

Customer online order

Logistics – to deliver order

Shared with 3rd party delivery company

Customer email address

Website opt-in registration

Marketing – to communicate with customers

Stored by 3rd party email service provider

Once you have a clear idea of the data you hold and why, you need to understand if your should be applying new rules for storing and processing  data. This will help you to define clear policies for data compliance from 25th May and beyond, as well as what to do if someone makes an information request or if there is a data breach.

Are you a Data Controller or a Data Processor?

GDPR specifies two areas, of data ‘controllers’ and data ‘processors’. A controller decides how and why personal data is collected, stored and processed by your business. If you are a Data Controller GDPR places obligations on you (your business) to ensure that your contracts with processors and/or suppliers meet the terms of GDPR.

As a Data Processor, you are responsible for processing the personal data on behalf of the Controller. This includes storing data on server’s, handling addresses for logistics or email addresses for marketing. Processors have specific legal obligations to maintain records of personal data and processing activities and have legal liability if responsible for a data breach. 

Often businesses can be both Controllers and Processors and it’s important to have policies in place that distinguish both. Is your business part of a supply chain, or service related – for example outsourced IT? You’ll have obligations as processors on behalf of your customers, but are also controllers of your own data.

If you use Data Processors, then you are required to have specific requirements regarding the handling and security of personal data as part of your contractual arrangements. 

Don’t panic! Take one step at a time

There is lots of information about GDPR online and it can be confusing for businesses to know exactly what to do to achieve compliance.

Remember, GDPR is designed to give all of us more control over our personal data. The Regulations will unify laws and make them ‘fit for a digital world’.  For businesses, this also means embracing a spirit of clear and transparent data policies.

There are millions of UK businesses who will be affected by the Regulations across a variety of sectors. These businesses all collect different data, from different customers in different ways for different reasons. The important thing is not to panic and take one step at a time.

You know your business best. Use our template packs and guides to work through the compliance process, from auditing data to reviewing consent. By working rationally you can complete the required steps for GDPR and implement systems to ensure ongoing compliance.

> Read more

8 Steps to Succeed at GDPRData Protection Principles

Early bird offer

We’re offering a 3 month free trial for early adopters (standard trial 30 days). Register your interest for more details.