Data Protection - what do you actually have to do as a small business

We doubt that many readers will have failed to notice that the law regarding data protection changed on 25^th May 2018. You may already be fed up with hearing about it but, here are our suggestions:

Check the personal data that you collect and process, as well as the purpose for which you do it and decide which “legal basis” you are using

As an employer, you will be processing the personal data of employees based on the employment contract and other legal obligations e.g. reporting to tax authorities.

You will no doubt also manage a list of individual customers, for instance to send them notice about special offers/adverts if you obtained consent from these customers. You don’t always need consent. There are cases when individuals will expect you to process their data. This is called a legitimate interest and is one of the “lawful basis” that you can rely on. You must inform individuals about your intended use and stop processing such data if they tell you to do so.

If you manage a list of suppliers or customers, then you do it based on the contracts you have with them. The contracts are not necessarily in a written form.

Inform your customers, employees and other individuals when you collect their personal data

Individuals must know that you process their personal data and for which purpose. You have to inform individuals about the personal data you hold on them and give them access to their data on request. You should keep your data in order, so when e.g. your employee asks you about what sort of personal data you have, you can provide it easily.

Keep the personal data for only as long as necessary

For employees, keep the information for as long as the employment relationship and related legal obligations last.

For customers, keep it as long as the customer relationship lasts and related legal obligations (for instance for tax purposes).

In both cases, delete the data where it is no longer necessary for the purposes for which you collected it.

Secure the personal data you are processing

If you store this data on an IT system, limit the access to the files containing the data, e.g. by a password. Regularly update the security settings of your system.

If you store physical documents with personal data, then ensure that they are not accessible by unauthorised persons; lock them in safe or a cupboard.

Make sure your sub-contractors respect the rules

If you sub-contract processing of personal data to another company, use only a service provider who guarantees the processing in compliance with the requirements of the new rules under GDPR (for instance security measures). Before you sign a contract, check if they have already changed and adjusted to the GDPR. Put it in the contract.

Check if you are concerned by the provisions below

• It is likely you will not need to designate a Data Protection Officer if processing of personal data isn’t a core part of your business and your activity isn’t at a large scale.

• Fines. The supervisory authorities are empowered to sanction infringements of the data protection rules. They can order or a temporary suspension of the processing and/or impose a fine. If they decide to impose a fine, the amount of the fine will also depend on the circumstances of the case, including the gravity of the infringement or if the infringement was intentional or negligent. They are likely to take your attitude and intentions into account.

• Breaches. You are obliged to notify the authorities within certain strict time limits.

 If you are concerned about any of the above, the team at Bradley & Jefferies Commercial Solicitors would be pleased to help.