Guide to the New Definitions and Requirements of the GDPR
21st March 2018
It is just over two months until the enforcement of the new General Data Protection Regulation (GDPR). Yet a recent Close Brothers study has highlighted that only a quarter of all small and medium-sized enterprises (SMEs) across the UK have started preparing for it. Worse, only a third of SMEs are aware of the implications of the GDPR.
With this in mind, we thought now is the perfect time to cover some of the central definitions of the GDPR and what it will mean for all SMEs.
Data Subject
A Data Subject refers to the person who is the focus of the personal data in question. For the average SME, this will be the information you hold on your customers and employees. Under the new GDPR, Data Subjects will have new rights that will need to be fulfilled, regardless of the size of the business or the amount of information held.
The GDPR also applies to any organisation that operate in the EU, regardless of where the organisation is based. So, if your company is based in the US but provides services or goods to EU citizens, their data is still protected by the new GDPR.
Personal Data
Under GDPR, Personal Data can be applied whenever information can identify that person. Directly or indirectly, any information held on a person that could be considered personal will be under the jurisdiction of the GDPR.
This includes, but is not limited to: the person’s name, an ID number, and any location data that the company has collected. Anything relating the physical, mental, economic, cultural or social identifiers are all protected by the new rights, which likely means that anything and everything you have ever collected about both your employees and customers is subject to the new regulations.
Data Controller
A Data Controller ‘determines the purposes and means of processing’ the personal data of a Data Subject. The Controller is the company that is using and getting value from the personal data of the Data Subjects.
For example, a Retailer is the Data Controller of their customers’ information if they collect email addresses for contacting their customers with deals and new product information. The retailer defines the use of the email addresses of their customers, which makes them the Controller of all that data.
A Data Controller has responsibilities to ensure that any Processors they use to collect that data comply with the GDPR. Your business could be at risk of a share of any fines in the case of a breach of the regulations. If you are a Data Controller, now is a good time to contact your data processors to find out what steps they have implemented to comply with the GDPR.
Data Processor
A Data Processor ‘is responsible for processing personal data on behalf of a controller.’ The Processor is the company that is collecting, recording and storing data for the Data Controller.
From the previous Retailer example, the Processor could be the mailing service they use to send emails to their customers. The Retailer should check with the Processor that they have considered the GDPR when processing the Retailer’s customer data as soon as possible. The legal liability of any data breaches falls immediately on the Processor.
How to prepare – Audit Data, Check Opt-in settings, Invest in Staff Training
The Information Commissioner’s Office (ICO) have prepared a useful 12-step guide to help businesses prepare for the GDPR.
The most valuable thing any company can do to start the process of preparing for the GDPR is a data audit. This will include discovering and documenting all the data your company holds, where it came from, how you use that information and who you share this data with.
Once you know what data you hold, and why, you should start to gather the permissions used to gather the data. If these permissions are out of date, there needs to be some sort of process for deleting and removing the data safely and securely.
Check your company’s opt-in settings for any websites, e-commerce sites, and electronic communications that collect personal data. Under the GDPR it is no longer enough to consent through usage. Users must positively affirm consent to the collection of personal data. Most companies will have to rethink their current settings to ensure that no data is collected unless the user actively gives permission.
Your staff should also be trained how to handle personal data and comply with the GDPR. Investing in staff training will help demonstrate your commitment to the new regulations and will help every member of your company use data in the right way. Another benefit of this is that every employee can use your data to make informed decisions and create efficiencies by identifying opportunities and high-value customers who may otherwise be overlooked.
For information about Data Clarity’s data auditing services and data management solutions, contact our team.
