With new General Data Protection Regulations (GDPR) set to be implemented in May 2018, much of the UK’s SME community remains unsure about whether the regulations affect them, and if they do, what they need to do to comply.
In a recent survey by Close Brothers, businesses reported confusion over what ‘personal data’ really means; their customers’ new and extended rights, and whether the permissions they currently have to contact customers will meet the requirements of GDPR.
The government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR so now is the time to prepare.
The GDPR requires you to show how you comply with a set of core principles.
Data will be…
(a) processed lawfully, fairly and in a transparent manner in relation to individuals;
(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals;
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Close Brothers Business Barometer, a quarterly survey that questions over 900 UK and RoI SME owners and senior management across a range of sectors and regions demonstated a worryingly high rate of confusion amongst business owners and managers.
Less than a third (31%) of SMEs answered ‘yes’ to the question ‘are you clear what ‘personal data’ means in a business context?’, with 50% saying ‘sort of’ and the remaining 19% ‘no’.
Neil Davies, CEO, Close Brothers Asset Finance commented “All personal data has to be managed in a safe and secure way; has to be gathered lawfully; is only used for the purposes for which it was collected, and must be accurate and up-to-date.
“The figures from the Barometer tell us that uncertainty persists on a number of key compliance issues and SMEs are concerned about the implications for them and their business.”
“The GDPR’s definition of personal data makes it clear that even online identifiers, for example an IP address, can be personal data,” explained Neil. “The new definitions provide for a wide range of personal identifiers to constitute personal data, reflecting changes in technology and the way organisations collect information about people.
Neil continued “How it works is that companies must get prior consent from data subjects (opt in) and record that consent. What’s more, the consent must relate specifically to the purposes of why a company needs that data; companies cannot get consent for one purpose and then use the gathered personal data for another.
“On top of this, consumers must be able to revoke their consent as easily as it was originally given because many consumers complain that it is easy to opt in to data gathering, but difficult to unsubscribe or opt out.”