How to Prepare for the New Data Protection Guidelines
What is GDPR?
On 25th May 2018 the General Data Protection Regulation (GDPR), set up by the EU, will replace the Data Protection Act (DPA). These new data regulations will be put in place to protect individuals and give them more say as to how their data is collected, stored, and used.
The GDPR has a much stricter agenda than the DPA, with harsher penalties for those who do not follow the rules regarding data protection. Data collection has become relatively easy in the years since the DPA was introduced in 1998. This means many small businesses now collect personal data, in addition to larger companies.
The personal data a business collects is often used in many ways such as marketing (e.g. sending promotional emails), sales, client relationships (e.g. client calls) and employee contact. It is clearly worthwhile for any business and it is sometimes essential to collect this information. For example, a new employee would need to give their contact details and an emergency contact.
As more data is being collected and often stored on computers/online, the GDPR is being introduced to ensure this data is safe and secure. Online criminals will target companies to gain access to their data. It has been found that they frequently target personal data from small businesses as it is easier to obtain from them compared to larger companies. When these data violations occur, thousands of customer details can be released including name, address, email, telephone etc.
What GDPR Will Entail
Under the new regulations, companies will need to abide by the following rules:
• Detailed records of consent need to be created and saved. This needs to include the way a person gives consent and the date they give it.
• An individual now needs to give clear, informed consent. This means they need to be fully aware and give agreement that their data can be held/used by a company. Consent can no longer be assumed as it was previously through pre-ticked options.
• People will have the right to revoke their consent at any given time, this is called the ‘right to be forgotten’. When this occurs, companies must ensure all their data is deleted.
• Data violations will need to be reported within 72 hours.
What Small Businesses Need to Do
Although small businesses may have less resources to ensure these regulations are followed, they are still expected to make sure things are in order before the GDPR is released in 2018, and to follow the same rules.
As this may be more difficult for small companies, the best thing to do is to start the preparation process as early as possible. This can help to avoid heavy fines in the future if any of the regulations are not followed.
The GDPR replaces the Data Protection Act meaning the regulations will apply to all businesses. However, the full extent of the GDPR does not apply to small businesses. This mainly concerns the appointment of a data protection officer – which varies according to business size.
Small Business Obligations When the GDPR Comes into Effect
By following the steps below small businesses can be well prepared for the introduction of GDPR in 2018.
• A data protection officer needs to be selected for companies who have over 250 employees. Their role is to ensure personal data is being collected, stored, and used securely.
• Small companies need to be able to identify where all their data is stored and ensure it is secure. They should devise a plan to manage their data efficiently.
• Knowledge of how to fully erase a person’s data is essential with the introduction of the ‘right to be forgotten’.
• Training should be rolled out to staff on obtaining and storing data to confirm they will be following the GDPR procedures.
• A system should be put in place to identify data breaches and alert the authorities within 72 hours, as this will be standard procedure under the new regulations.
By starting this process now, companies are less likely to break regulations and save themselves the large fines that come with it.
Companies should avoid leaving the preparation until a few months before, as this will lead to panic and confusion over what to do, and little time to get everything in order.
The Private Rental Sector
The GDPR applies across all business sectors including the PRS. Whether a landlord has a small or large portfolio they will need to abide by the new data protection regulations.
Any landlord who collects and manages personal data will have to be aware of their duties under the GDPR. Landlords will now need to obtain full informed consent from tenants, where they actively agree to their personal data being collected. Broad clauses and tick boxes will no longer be acceptable. Further consent will need to be acquired if any personal data will be transferred to third parties such as referencing services.
Previously, landlords were instructed to give tenants a privacy notice informing them of how their data would be used. Under the new regulations, landlords need to explain in-depth why a tenant’s personal data is being obtained and exactly how it will be utilised. Full informed consent then needs to be collected, which is recommended in the form of a signature to signify active agreement.
To prepare for the GDPR landlords should evaluate their current data collection processes and how they obtain consent. They should also assess how they handle their data and ensure it is stored and transferred safely. Effective security measures should be in place to prevent data violations.
This preparation could be more difficult for landlords with small portfolios as their data collection and storage may not be as streamlined and secure as landlords with larger portfolios who may already have professional systems in effect. This means early planning is key to ensure the GDPR is followed.