What is GDPR and how will it affect your small business?

The General Data Protection Regulation, aka GDPR, represents the most significant shake-up in data protection and data privacy regulation in over twenty years. But where did it all start?


Well, concerns for human rights and privacy were raised by the powers that be at the end of World War II. Following the atrocities that had been committed during the war, there was a consensus that more could and should be done to protect people's privacy. This train of thought led the Council of Europe to introduce measures to protect the rights of individuals with regards to the processing of private information in the 1950s.

Fast forward to the 1980s, and we have the development of OECD guidelines on the protection of privacy, and privacy rights introduced by the European Convention on Human Rights. Then in 1995, the European Parliament passed a directive to protect individuals. It was this EU directive that transposed itself into UK law and became the Data Protection Act of 1998, thus changing the entire landscape of individual rights in the UK.


However, with significant advancements in the Internet, e-commerce and social media, it was felt at the end of the '90s that existing legislation was out of date and didn't take the digital economy into account. Therefore, the EU drafted, and finally approved, the GDPR in May 2014, which with a two-year period of implementation, comes into force on May 25th, 2018.


What is GDPR?

The new General Data Protection Regulation law is designed to strengthen data protection for EU citizens. It covers the processing of personal information, building on existing legislation, and comes with four key objectives, the first of which, and probably the most important, is the strengthening of our individual rights.


In today's digital world, a lot of people fear we are not really as well protected as we could be. Our details are stored by more people in more places than ever before, so we need to be sure our information is kept safe, is used responsibly, and those who have access to our data are held accountable.


Another area that needed addressing was that across the EU we have different interpretations of the EC directive on data protection, and each member state has their own laws. The GDPR is designed to iron out these inconsistencies and provided one common framework for all member states.


Also, we hear of cyber attacks on a daily basis. People's details are stolen, or incidents occur where personal data is lost, such as leaving a laptop on a train. A stronger obligation had to be placed on data controllers in order to protect data against willful damage, theft, or destruction. The GDPR goes a long way to ensuring that our data is secure.


Finally, the way in which our data is now used is vastly different from even just 10-years ago. Our details are being monitored, tracked, and analysed continuously, and it's long been felt that EU citizens needed more protection.


What does GDPR cover?

The GDPR concerns natural persons, which it defines as 'living individuals,' and seeks to protect them where personally identifiable information is processed. When we talk about personally identifiable information, this covers anything that can wholly or partially identify someone. When we talk about processing, this includes any data that is processed entirely, or partially, by automated means or any personal information that is part of a manual filing system.


As a small business, you are accountable, and you must ensure you do not infringe the rights of any EU citizen. Therefore, you need to be aware of the eight rights as laid down by the GDPR:


1. The right to be informed

If you were asked how many businesses were holding and using your information right now, the chances are you wouldn't know. The GDPR gives you the right to be informed as to who is using your data, as well as why, and how, they are using it. As a business, you too will be legally obliged to provide this information to your data subjects.


2. The right of access

We all have the right to access our own personal data. We have the right to ask for it, and the companies that hold it have to comply in furnishing us with it. With the introduction of GDPR, a considerable rise in subject access requests is expected where people ask to see the details of the information being held. So, consideration should be given to how you might handle the sudden influx of information requests.


3. The right to rectification

if you are holding details on data subjects, they have the right to rectify those details, and they are more likely to exercise this right if the information is being used to make decisions about them.


4. The right to erasure

Commonly referred to as 'the right to be forgotten.' If someone wants their details removed, they have to be erased, unless there are legal grounds for not doing so.


5. The right to restrict processing

If you're using customer data for certain types of processing, those customers have the right to limit the kind of processing you are allowed to do.


6. The right to data portability

This point relates to customers who wish to transfer data from one supplier to an alternative supplier. For example, we can insist that one service provider facilitates the transfer of data to another provider and not use data protection to obstruct commerce.


7. The right to object

The GDPR gives every one of us the right to object to our data being processed, either in forms, or for specific purposes such as opting out of direct marketing.


8. Rights related to automated decision making and profiling

In a highly digital world, computerised decisions are regularly made that can have an enormous impact on our lives. Whether its a job application, a loan or a finance agreement, etc., we have the right that a decision is made in person if we so wish.


GDPR will touch every aspect of your business, from marketing and sales where customer and prospect information is used to HR which holds and maintains employee data, to IT, who are responsible for providing the means to process and secure the data. If you are still unsure about how GDPR will affect you and your business, you can go online and check out the various gov.uk websites where all the latest information is available, along with changes and updates in real time.

Leave a Reply