Latest updates and stories from Bedfordshire Chamber of Commerce and its Members

Still not ready for GDPR? We answer your most burning questions

Written by Paula Devine | 02 May 2018

With less than a month to go, the GDPR deadline is imminent. If you feel far from readiness, rest assured you’re not alone.

As a small business owner, you’re very unlikely to have access to your own, internal data protection officer, and are therefore handling your business’ GDPR compliance alone. To help you along the way to full preparation, we’ve tried to tackle some of your most common questions.

I have under 10 employees, does the GDPR still apply to me?

If you handle, process or collect personal, identifiable data of individuals in the EU, the GDPR will affect your business. This is regardless of number of employees, turnover, or size of your company.

The ICO defines ‘personal data’ as any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.

The GDPR will ultimately give the power back to the individual so they can more readily control how their data is collected, used, retained, and more.

Do we have to delete all of our data?

Before fear leads you to carry out a large scale deletion of all of your data, you might wish to consider the lawful basis of that data handling. If the data you hold was previously given consensually, and is used to supply further information related to a product or service customers have purchased from you, OR the use of the data is in the legitimate interest of the party, then you should satisfy GDPR regulations. If the data was bought or obtained unethically, illegally, or nonconsensually, through means that do not comply with the new GDPR regulations, then you will need to consider a hard deletion process.  

What if I don’t know what information we collect or where it is?

Carrying out an information audit is the best way to unearth all of the information you hold. It will also help you uncover redundant data that might be lying around on historic email marketing systems or filing cabinets. Unless there is a legitimate, GDPR-compliant justification for the retention and/or processing of that data, then you should safely remove that data.

All data, whether it be that of suppliers, clients, employees, or third parties needs to be meticulously analysed. You will need to answer:

  • What personal data you hold
  • Where it came from
  • How it was collected (If consent is the legal basis for processing, then do the permission statements satisfy the consent guidelines required under GDPR?)
  • How long you have held this data. What are your retention periods?
  • Who you share it with, and by what means

If you feel you don’t have time for this - as many business owners will - DAMM Solutions offer a data audit service, as do many other companies, so this isn’t something you will have to necessarily tackle alone.

Do we need a privacy policy?

The aim of a privacy policy is to instill formal guidance and provide information on how your organisation collects and handles data in a GDPR-compliant way. Best practice privacy policies are widely available online, where you can also find some very useful resources to help you write yours.

Your privacy policy should ideally be written in your company’s tone of voice, and include information with regards to:

  • Exactly what information you collect
  • Who and how it is being collected
  • How you intend to use to information
  • Why you are collecting this data
  • How long you will retain this data for
  • If there will be any effect on the individuals concerned
  • If it is likely to cause the individuals concerned to complain or object
  • If and why this information will be shared with any third parties

If individuals feel you are misusing their personal data in anyway, they have the right to complain to to the ICO. It is considered best practice to detail this within your privacy policy.

What if we suffer a data breach?

Under the General Data Protection Regulation, if you experience a data breach which might pose a risk to individuals’ rights or freedom, you should let the ICO know within 72 hours, as well as the individuals whose data was compromised. Transparency is after all, one of the underlying goals of the GDPR.

If the ICO fine us, it will cripple our business!

Rest assured that while businesses will be reprimanded for non-compliance, the likelihood of a large fine is incredibly low. Information Commissioner Elizabeth Denham, has set out to reassure the public that the aim of the GDPR is not to cripple businesses with eye-watering fines, but rather “greater transparency, enhanced rights for citizens and increased accountability”.

She wrote this excellent blog post which aims to separate the facts from the fiction, and states that less than 0.1% of investigations will result in fines, and to ignore most of the scaremongering headline that appear in the press. She writes that “The ICO’s commitment to guiding, advising and educating organisations about how to comply with the law will not change under the GDPR. We have always preferred the carrot to the stick.”

I have more questions. Who can I turn to for help?

As your local Chamber of Commerce, we are here to advise and guide local businesses when and where they need it. Whilst we will help as much as we can, the ICO has a free advice line especially for small businesses with GDPR questions.

If you haven’t already, we strongly recommend downloading our guide to the GDPR written on behalf of the Chamber of Commerce by DAMM Solutions, which aims to comprehensively cover all possible queries, questions and anomalies within the GDPR, ensuring you are ready prepared and compliant before the 25th May.

Topics: Bedfordshire Chamber of Commerce, GDPR

Paula Devine

Written by Paula Devine

Paula is Head of Membership and Global Services at Bedfordshire Chamber of Commerce.

More stories...