The General Data Protection Regulation (GDPR) will become law on 25th May 2018. It is the biggest data protection shake-up for twenty years and impacts every business in the world that processes the personal data of UK and European citizens. It will also have an impact on the intruder alarm industry and security system installers.
GDPR is based around two main principles:
- Giving individuals more control over their personal data
- Simplifying data regulation amongst EU small businesses
It governs the way a company holds, processes, stores and manages personal data. It relates to the data files, internal business processes and controls, and the way a business is run. If you hold and process personal information about your clients, employees or suppliers, you are legally obliged to protect that information.
Under the GDPR, you must:
- only collect information that you need for a specific purpose
- keep it secure
- ensure it is relevant and up to date
- only hold as much as you need, and only for as long as you need it
- allow the subject of the information to see it on request
The UK government has confirmed that Brexit will not affect the GDPR start date or its implementation. It has also confirmed that post-Brexit, the UK’s own law (or a newly-proposed Data Protection Act) will directly mirror the GDPR.
Will the GDPR affect my business?
GDPR applies to any business that processes the personal data of EU citizens. This includes customer, supplier, partner and employee personal data.
So, as a security system installer, you need to ask yourself how often does your business deal with personal data? If you’re collecting data routinely, you’ll need to comply with the GDPR, whether the data is on a spreadsheet, on your computer network, your mobile phone, or in the cloud.
Ignorance of the new regulation will not be a defence and failure to comply will be punishable by fines up to €20 million, or four per cent of annual turnover, whichever is higher.
Despite this, the Federation of Small Businesses says that 90% of UK small businesses are still not prepared for the deadline.
Am I prepared?
To help small businesses find out if they’re prepared, the Information Commissioner’s Office (ICO) provides this useful 12 step checklist:
You should make sure that decision makers and key people in your organisation are aware that the law is changing to the GDPR. They need to appreciate the impact this is likely to have.
- Information you hold
You should document what personal data you hold, where it came from and who you share it with. You may need to organise an information audit.
- Communicating privacy information
You should review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation.
- Individuals’ rights
You should check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format.
- Subject access requests
You should update your procedures and plan how you will handle requests within the new timescales and provide any additional information.
- Lawful basis for processing personal data
You should identify the lawful basis for your processing activity in the GDPR, document it and update your privacy notice to explain it.
You should review how you seek, record and manage consent and whether you need to make any changes. Refresh existing consents now if they don’t meet the GDPR standard.
You should start thinking now about whether you need to put systems in place to verify individuals’ ages and to obtain parental or guardian consent for any data processing activity.
- Data breaches
You should make sure you have the right procedures in place to detect, report and investigate a personal data breach.
- Data Protection by Design and Data Protection Impact Assessments
You should familiarise yourself now with the ICO’s code of practice on Privacy Impact Assessments as well as the latest guidance from the Article 29 Working Party and work out how and when to implement them in your organisation.
- Data Protection Officers
You should designate someone in your business to take responsibility for data protection compliance. You should also consider whether you are required to formally designate a Data Protection Officer.
If your organisation operates in more than one EU member state (i.e. you carry out cross-border processing), you should determine your lead data protection supervisory authority. Article 29 Working Party guidelines will help you do this.
If you’re still in any doubt, the ICO also has a self-assessment checklist that you can take to see if your business is affected. Before doing the self-assessment, you need to decide if your business processes personal data as a ‘data controller’ or ‘data processor’. It may be both, in which case you should complete both assessments. (The definition of these two terms can be found in the ICO’s Guide to the GDPR).
Don’t leave it too late!
Remember, businesses in breach of the GDPR could see fines of up to €20 million, or four per cent of annual global turnover, whichever is higher. These eye-watering amounts mean that insolvency could be a real risk for non-compliant businesses. So, don’t wait – act today!
- Guide to the General Data Protection Regulation (GDPR) (from the Information Commissioner’s Office)
GDPR for Small Businesses (a guide from Simply Business)