GDPR: 6 key elements to help SMEs prepare

Protecting individuals and increasing visibility of data use.

25 May is a landmark in data protection history, as the General Data Protection Regulation (GDPR) comes into effect, replacing the 1988 Data Protection Act (DPA).

Despite the publicity surrounding GDPR, research suggests the SME sector is less prepared than most for the changes, and that many businesses are unaware of what GDPR means for them or are unsure of what to do next.

GDPR applies to all business in the EU that collect, store and process personal data. The new rules change how companies are required to process personal data, such as customer lists and employee records. What is important to remember is that business data can also be personal data – for example, a sole trader’s email address may also be their personal email address.

Enterprise Nation, the business support network and a leading campaigning voice for small business, together with Experian, the data and analytics company, has set out six key elements of GDPR that business owners need to know. These elements outline some of the most important individuals’ rights, as well as business requirements.

1. Rights of Individuals

At the core of the GDPR is the theme of keeping individuals’ rights and interests front of mind at all times. Under the new regulation your clients and contacts will have the following rights:

• The right to be informed (see below for more information)
• The right of access
• The right to rectification
• The right to erase (see below for more information)
• The right to restrict processing
• The right to data portability
• The right to object
• Rights in relation to automated decision making and profiling

More information on the rights of Individuals can be found on the Information Commissioner’s Office (ICO) website.

2. Right to be informed

Businesses must be sure to provide details on how clients and contacts information will be processed and why.

Privacy policies also will need updating to reflect this and be in line with GDPR requirements. Don’t forget that any policy changes will need communicating to both new and existing clients and contacts.

3. Right to erasure (or ‘right to be forgotten’)

Individuals will now be able to request that their data is deleted.

This doesn’t give people an absolute right to be erased or forgotten, however it is possible under certain circumstances. For example, situations where there is no longer a compelling reason for the data to remain on file.

There are also occasions where this request can be refused. That is, when personal data has been processed for one of the following reasons:

• To exercise the right of freedom of expression and information
• To comply with a legal obligation for the performance of a public interest task or exercise of official authority
• For public health purposes in the public interest
• Archiving purposes in the public interest, scientific research historical research or statistical purposes
• The exercise or defence of legal claims

4. Data protection officer

As part of the new GDPR, it is a requirement that under certain circumstances a data protection officer (DPO) must be appointed.

This requirement would apply if, for example, you are carrying out large scale processing of special categories of data, or processing data relating to criminal convictions or offences. Public authorities will also need to appoint a DPO.

Of course, you may still appoint a DPO even if you’re not required to and this may be something to consider, to ensure that you have the resources and skills to manage your other GDPR obligations.

More information on DPOs can be found on the ICO website.

5. Obligations on data processors

According to the ICO, a data controller “determines the purposes and means of processing personal data” and a data processor “is responsible for processing personal data on behalf of a controller”.

Under the DPA, the statutory obligations are on data controllers only.

However, the GDPR sees data processors being given new responsibilities around the security of personal data during processing activities. Data Processors will also be legally accountable for compliance outside of contract terms.

6. Data protection impact assessment

A data protection impact assessment (DPIA) is a tool which the GDPR promotes so that businesses can effectively assess and comply with their own data protection obligations.

They allow you to identify and resolve any issues that may lead to non-compliance and the resulting costs and reputational damage that may ensue.

You are required to conduct a DPIA where the processing of data is likely to result in a high risk to the rights and freedoms of individuals.