Two colleagues having a conversation in a server room.

What does GDPR mean for your business?

Complying with General Data Protection Regulation

Is your business up to date with the EU’s unified framework of personal-data protection?

What is GDPR?

The General Data Protection Regulation (GDPR) was introduced by the European Union (EU) to provide a unified framework of personal data protection. It came into effect in May 2018 and impacts businesses, charities and individuals.

Now GDPR’s in place, these six key questions will help you understand how GDPR affects your business and if you’re meeting its requirements. Please note that not all businesses are the same and this guide shouldn’t replace professional advice.

How does GDPR protect individuals?

GDPR strengthens an individual’s rights over their personal data, including

  • The right to be informed about what data a business has collected about them
  • The right to access this data
  • The right to rectification – to change any inaccurate data
  • The right to erasure – to have data deleted
  • The right to restrict processing – to stop a business processing their personal data
  • The right to data portability – to be able to move data to another organisation
  • The right to object to their data being collected or used
  • Rights in relation to automated decision making and profiling
  • The right to remedy – to be compensated for any unauthorised collection or use of data

Personal data relates to an identified or identifiable individual, rather than data referring to  a company. Names and addresses can be considered personal data. Also, data that refers to a person, eg ID numbers and attributes such as gender, economic and social status are also considered personal data.

Is GDPR applicable to my business or charity?

GDPR covers all information recorded electronically, and most recorded physically, that can relate to or identify any individual from the EU. This means that any business or charity wishing to interact with anyone from the EU must comply, even if based elsewhere. UK businesses and charities have to adhere, regardless of the ongoing negotiations around Brexit.

What if my business isn’t compliant?

The ‘right to remedy’ means that individuals have new and enhanced rights and, in some cases, the right to compensation. There are also significant fines of up to 4% of revenue or €20m for any organisations found to be non-compliant.

Alongside a potential fine, failure to comply with GDPR runs the risk of damaging your business reputation, as well as relationships with suppliers and partners. Getting on top of this regulation and ensuring your business is compliant should be a priority.

How can I make sure my business complies?

There are steps you can start to take to make sure you’re not caught out. A good starting point is to make checklists of the personal data you hold, its source, and how you use it. You can then review your existing processes and develop new processes, if needed, to comply with the regulation. Put simply, you must comply with the regulation when you’re using any personal data within your business.

Work out what data you hold on your customers
Most businesses across the UK, regardless of size or nature, will hold data on their customers. This could be as simple as email addresses and phone numbers, or more sophisticated data storage such as tracking customers’ online habits when visiting your website, or saved card details.

Lawful Processing of personal data
You should consider the reasons why you are capturing and processing personal data. Note that there are multiple legal bases for processing data which you may be able to rely upon. If you need to rely on consent to process personal data (perhaps for some forms of marketing), you need to ensure that consent is freely given before the data is processed, unambiguous and can be withdrawn at any time.

Allowing customers access to their data
If a customer wants to access the data you hold for them, you must have a process to provide access within 1 calendar month. If they wish to withdraw their consent and delete the data you should be able to satisfy those requests.

Employee data
The regulation also includes your employee data, which you need consent to acquire and protect. These aren’t the only actions you have to take, however.

The Information Commissioner’s Office (ICO) has put together 12 key actions

  1. Awareness – make sure that decision makers and key people in your organisation are aware that the law has changed, and of its impact. 
  2. Information you hold – document what personal data you have, where it came from and who you share it with. This may need an information audit.
  3. Communicating privacy information – review your current privacy notices and make any necessary changes.
  4. Individuals’ rights – check your procedures to make sure they cover all the rights individuals have under GDPR, including how you’ll delete their data if requested, or provide data electronically and in a commonly used format.
  5. Subject access requests – update your procedures, plan how you’ll handle requests given the new timescales, and provide any additional information.
  6. Lawful basis for processing personal data – identify the lawful reason you’re processing personal data, document it and update your privacy notice to explain it.
  7. Consent – review how you seek, record and manage consent, and whether you need to make any changes. 
  8. Children – do you need to put systems in place to verify individuals’ ages and to obtain parental or guardian consent for any data-processing activity?
  9. Data breaches – make sure you have the right procedures in place to detect, report and investigate a personal data breach. Make sure you’ve shared these processes with the appropriate members of your team.
  10. Data Protection by Design and Data Protection Impact Assessments – take some time to read the ICO’s guide to GDPR, and work out how to implement it in your organisation.
  11. Data protection officers – designate someone to take responsibility for data protection compliance in your business. Larger organisations might need to appoint a formal data protection officer – visit the EU Commission website to see if your business will need to do this.
  12. International – if your business operates in more than one EU member state (ie you carry out cross-border processing), you should determine your lead data protection supervisory authority. The ICO’s online checklist can help you do this.

Read the full ICO guide

All businesses are subject to the same principles, and the steps and sources of information here are by no means exhaustive and shouldn’t replace professional advice. For more help, we recommend speaking to a professional adviser or your accountant.

Do I need to appoint a data protection officer?

You might not need to – it depends on the type of data and scale of collection and processing you’re carrying out for your business. You can check whether you need to appoint one on the EU Commission website.

What’s happened to previous data regulation?

GDPR and the Data Protection Act 2018 have replaced the Data Protection Act 1998.