As the 25th May 2018 edges closer, more and more businesses are thinking about what they need to do to prepare for GDPR. Just in the last few weeks, I have been invited to speak to numerous events on exactly this topic. I thought it would make interesting reading to share the questions that I seem to be asked most often at the moment. My answers here cannot hope to be truly exhaustive, but I hope they provide some food for thought.
Does GDPR apply to small businesses?
Of course, the answer is ‘yes’. GDPR applies to data so anyone who collects, holds or does anything with personal data will have to comply with GDPR’s rules, whether businesses, self-employed people or voluntary organisations.
Do I have to always get consent from people to use their personal data?
No. The GDPR provides six lawful bases on which you can deal with personal data – consent being one of them. What you should be considering is which basis is the most appropriate for your circumstance.
For example, getting consent from your employees to process their data is unlikely to be appropriate because your employees probably don’t feel they have any choice but to give their consent (if they value their job; consent must be freely given). A more appropriate reason in this case would be contractual necessity – you need to have their details to pay their salary.
(If you want to read more about the six legal bases for processing data, we’d recommend the ICO website)
Is data security all about IT?
No. The GDPR says you must take appropriate technical and organisational data security measures. In practice this means many things, including something as simple as ensuring filing cabinets containing personal data are kept locked. This also means ensuring your staff are trained to know what information they can and can’t share with a third party over the ‘phone will be an essential data security consideration.
Will I have to delete all the data we have about someone if they exercise their ‘right to be forgotten’?
It depends on several things, including whether you are relying on their consent. As this is a new and challenging area it would be sensible to seek professional advice if someone tells you they want you to ‘forget’ about them. However, as a guide, if there is a legal imperative that requires you to retain details, you have grounds not to delete them. For example, if you are legally required to retain records for a set period.
Will we still be able to send out newsletters?
Yes. The GDPR does not replace the rules on marketing. However, if you are sending marketing newsletters to individuals (consumers), sole traders and some partnerships you will have to be sure that you have the consent of the recipient. Bear in mind is that you will need to be able to demonstrate that you do have the individual’s consent and make sure that they have a straightforward way to ‘opt-out’ if they want to.