100 days until GDPR: A quick-start guide for small businesses
Believe it or not, it’s just 100 days as of Valentine’s Day until the GDPR comes into force on 25 May 2018. Whether you’ve fallen in love with GDPR or not, you might want to use this date as a milestone to measure how well your GDPR preparations are progressing.
For example, you might want to tune into one of our GDPR webinars to better understand GDPR and some of the steps businesses like yours can take.
However, below are some headline examples of how GDPR will affect the typical functions and/or departments of a small business, with the following caveats. Firstly, this is not an exclusive list and nor is it a substitute for receiving legally qualified advice or examining your own procedures and methods in depth (see the Sage Legal Disclaimer at the end of this piece).
Secondly, at the time of writing the exact impact of the GDPR isn’t yet known. For example, we lack practical examples of what agencies such as the Information Commissioner’s Office are likely to find acceptable or objectionable, and some of the wording of the GDPR legislation is open to interpretation.
Therefore, what’s detailed below can only be considered as educated guesses at the very best.
Sales and marketing
The GDPR’s new, stronger requirements for consent can hit marketing and customer processes in a particularly harsh way.
Existing marketing data
Put simply, with existing databases for marketing leads you will have to undertake two tasks, at least, prior to the GDPR’s implementation:
- Legally review the consent that was used originally and see if it’s compatible with the GDPR’s requirements.
- In the likely event that your existing consent isn’t sufficient, and there’s no other basis for lawful processing of the data, you will have to contact each and every one of the individuals in the database to seek new consent. If you don’t receive fresh and specific consent for the ways in which you’d like to process the data then that individual’s data must be supressed or deleted.
It’s been estimated that the above requirements could mean databases such as those for sales and marketing are reduced by as much as three quarters. However, it’s also been pointed out that those customers who respond with fresh consent are proving themselves more valuable because of their willingness to engage with your business.
Remember that consent is only one possible requirement for lawful processing. If an ongoing contract between you and a customer or client already exists – or is likely to do so soon – then you don’t necessarily have to get consent, for example, where that processing is necessary for the performance of a contract or in the legitimate interests of your business and/or the customer.
Consent moving forward
Of course, you will need to create new GDPR-compatible processes for any personal data you gather from individuals moving forward and this may involve getting consent.
Remember that you can no longer assume consent or use a single consent as carte blanche for all processing activities, or use a pre-ticked box on a website to assume consent is given.
Before purchasing any marketing leads, you will need to ensure the consent of each individual contained within complies with the GDPR – which is to say they will have given clear and individual consent for their details to be sold on in this way. Considering most people are unlikely to agree to this, the sale, purchase or transfer of marketing leads is likely to become a rare activity.
The GDPR says you can’t simply grab lots of data from an individual without justification, so marketing can no longer be a “fishing expedition” where you present checkboxes or a questionnaire with a view to somehow using the data you collect in future.
Your processes will need to show what data you’re collecting and explain what you intend to do with it – and you may need to gather consent for using that data in a specified way. You should also document when you intend to suppress or erase it.
Dealing with customer enquiries
The GDPR gives your customers and/or clients new rights to know what you’re doing with their data. They also have the right to withdraw consent, subject to certain exemptions, or the absolute right to withdraw consent from certain uses of it (such as direct marketing).
You will need to put in place procedures and possibly staff to deal with this, such as a Data Protection Officer, and your staff will need to perform tasks such as documenting such requests and clearing any future marketing lists against the internal suppression list.
Human resources and payroll
Considering people management and payroll involve processing massive amounts of personal data, it’s incredibly likely that existing processes will have to be revised significantly for the GDPR.
Consolidation and security
With its additional security requirements, businesses should consolidate all their personnel and payroll data into as few locations as possible to prepare for the GDPR. This is because of the requirement for data to be secured. Effectively securing personal data and/or payroll data that’s spread across a range of Excel spreadsheets, for example, is likely to lead to disaster.
The GDPR-compliant processes you create will need to consider all sources of data, which can be challenging with people management. For example, how will you securely store sick notes or even emails or text messages requesting holiday leave? How can timesheets be securely handled and stored? How do you restrict access to personal data to ensure only those who have a “need to know” can access it?
Similarly, and as before, payslips must be provided in a secure way. This is prompting many businesses to switch to online rather than printed payslips, wherein an employee must securely authenticate online before being able to view the information.
Because the employee has entered into a contract with you, and you’re processing their data on the basis of the employment contract or for your legitimate interests, it’s not necessarily appropriate to get consent in the day-to-day employer-employee relationship.
You may however need employee consent for any processing not directly connected to that relationship, e.g. if you want to see an employee’s occupational health records. This includes consent for sensitive data, although the GDPR here bows to national laws. At the time of writing, the implications of this are not yet fully understood.
GDPR means you potentially have to give staff full visibility of the data you hold about them. You must respond to subject access requests (SARs). Notably, you retain the right to refuse unfounded or excessive requests but will need to demonstrate how they are unfounded in your compliance documentation.
You’ll need to create clear and GDPR-compliant privacy notices to ensure you provide all the information to which they are entitled under GDPR’s requirement for transparency. You may need to provide easy-to-access functionality to allow employees to opt out of the various ways you use their data. You cannot use their data for any other purpose without notifying them.
From the moment a potential employee submits a curriculum vitae (CV) or application form, you’ll have to start to record when and how you obtained this data and on what lawful basis it’s held.
Speculative CVs received out of the blue from jobseekers also present issues as HR departments won’t be able to hold them on file unless they can tie them to a clear record of consent that includes an agreed time limit.
You might want to think about requesting explicit consent from candidates about keeping their CV on file for a period of time. As above, you’ll also need to provide clear GDPR-compliancy notices for jobseekers.
The GDPR means you should not hold on to employee data once that individual has left unless there’s a lawful reason to do so. This must be considered within the right to be forgotten, but this is not an absolute right if there’s a lawful reason for you to hold the data. For example, if a former employer is taking you to an employment tribunal then you will need to keep hold of that data.
However, you will need to ensure that your systems and processes are able to remove all data about that individual, which suggests another reason to aim for consolidation of data across as few systems as possible.
Accounting and finances
Of all departments within a business, the accounting department is perhaps hit least by GDPR preparations and requirements. A good rule of thumb is that, unless the accounting data is linked to an individual, then there should be no issue.
If your accounting data is linked to an individual then in most cases you’ll already have a contract with them (for example, a sales contract), and for accounting purposes will be processing the data for their and your legitimate interests.
If there’s a need to get consent to use an individual’s data then the requirement for processing it for accounting purposes should be specified during the process of gaining consent. This might involve the accounting person or team reaching out to all departments to ensure GDPR compliance has occurred further upstream.
Where problems might arise is if you hire a bookkeeper or accountancy firm in any capacity. You should ensure they are GDPR compliant, that the technology and software they use is GDPR-ready, and that how and where they store data is also GDPR-compliant.
IT departments are the facilitators of a lot of GDPR compliance considering most work within a business is done via technology nowadays. For example, with the increasing use of cloud services, the IT department will have to ensure that anywhere data is stored complies with the security demanded by the GDPR.
However, this isn’t necessarily about providing software or hardware for GDPR readiness. The IT department might have to securely dispose of existing data, such as customer databases that lack adequate consent notifications, and put in place ongoing methods for data to be deleted securely to meet the GDPR’s much more strict guidelines about data retention and use.
The IT department should also take the lead by implementing robust processes for reporting data breaches or other forms of GDPR non-compliance. Considering this might involve contacting customers, the IT department will need to reach out to all departments to ensure they understand the GDPR’s reporting requirements.
As before, duplication of live data for testing and pre-production purposes are impacted by the GDPR in that using the data in this way might not be possible without explicit consent.
Sage Legal Disclaimer
The information contained here is for general guidance purposes only. It should not be taken for, nor is it intended as, legal advice. We would like to stress that there is no substitute for customers making their own detailed investigations or seeking their own legal advice if they are unsure about the implications of the GDPR on their businesses.
While we have made every effort to ensure that the information provided herein is correct and up to date, Sage makes no promises as to completeness or accuracy and the information is delivered on an “as is” basis without any warranties, express or implied.
Sage will not accept any liability for errors or omissions and will not be liable for any damage (including, without limitation, damage for loss of business or loss of profits) arising in contract, tort or otherwise from the use of or reliance on this information or from any action or decisions taken as a result of using this information.