Understanding GDPR 2021. I’d like to welcome Sarah Banks from banksbusinesssolutions.com. Sarah’s very kindly agreed to help us understand GDPR and what we need to know, its implications and how we get it.

Could explain what is GDPR?

GDPR stands for General Data Protection Regulation and this was brought in by the EU back in 2016 in order to protect the data of anybody that’s given their information to a business. Data could be anything from an email address right through to somebody’s medical history, their race or political views.  All these pieces of data are information on a living citizen, they are clusters of data and are covered by GDPR which became law in May 2018.  I will touch on how Brexit has affected this because the uk isn’t part of the EU anymore.  The issue is that Brexit covers EU citizens regardless of where the business is based, so GDP covers all businesses that have any form of contact with any EU citizen, and in the uk we have the data protection regulations 2018, which basically mirror GDPR for UK citizens.

Who needs to have a GDPR policy? 

Any business collecting any piece of data about an individual. It isn’t just about having a statement, it’s about being compliant in the way that you handle that information.  Even someone sending an email to your business and you opening it, you have processed that person’s data because you’ve opened the email and seen their email address. If you’re processing data of any form you have to be compliant with how you handle that information.

There’s a few things that you need to do. 

  1. You have to have a privacy policy and generally that will be displayed on your website, but if you don’t have a website you need to have a privacy policy that you can give to people at the point at which you collect their information.
  2. You need to have a cookie policy if you’ve got a website. Cookie policies get a bit more complicated because they’re also part of what’s called the Privacy and Electronic Communication Regulations. 
  3. You need to have policies within your organization on how you handle data.
  4. You need to be certain that all the systems you’re using are compliant for GDPR, so for example if your emails go through Office 365 you need to make sure that you’re using the right version of office 365 to be compliant. I know that for a lot of them Sole Traders working from home are using the home version of Office 365, which isn’t actually compliant for GDPR. You need to have the business version. Similarly with the operating system on your laptop if you’re using the personal version of Windows, that won’t be compliant, you need to be using the professional version. So there’s lots of things like this that you need to understand. It isn’t just a case of getting a policy in place, you need to go through a process of understanding what data you collect within your business and where you store that data. Whether or not where you store it is compliant for GDPR. When you know that you can then complete your privacy policy.

Does that also apply to Apple computers?

Yes, the Apple operating system is because Apple is set up more for professionals. The main reason that Windows isn’t compliant as an operating system is because it can’t be encrypted within the home version, and encryption is really really important. If you were to lose your laptop, phone or your tablet that would class as a data breach and you would have to report that to the regulator, which in the uk is the Information Commissioner’s Office. They would decide whether you had taken the necessary steps to be compliant with GDPR.  If your device is encrypted there is no way that anyone’s will any of that data and therefore you will be deemed to have compliant with GDPR

It sounds as though it’s very complicated drawing up your GDPR policy.  Is it something people can do by themselves?

I would advise everybody to get some form of advice through either someone that professionally is qualified who knows what they’re doing in GDPR or go to a lawyer. However the Information Commissioner’s Office does have a template on their website that you can download but you need to understand the data that you have in your business, why you have that data and what you’re doing with it in order to be able to fill that in. This is where it’s hugely time consuming and there’s an awful lot to understand if you don’t know what you’re doing. You need to know what the difference is between personal data and special category data, what’s the difference between a data controller and a data processor, what is the lawful basis for you to process data and there is six of those. If you’re not sure about all of this and you haven’t got time to spend hours reading it all on the ICO website or the GDPR regulations, it’s easier to get somebody in to help and support you that knows what they’re doing.

We have heard of some big corporations been prosecuted for data breaches. Is it happening to smaller businesses as well?

As of yet there haven’t been any prosecutions of smaller businesses, but there’s lots of rumors around as to how this is going to be policed in the future and how people will check it out. The key risk to a small business is if they’re using a big system such as Google and Google has a breach, they then have to deal with that breach themselves, and would have to report it because potentially their data has been breached. If they weren’t set up properly in the first place the ICO are going to come in and investigate what they could have done better and at that point the ICO will make a judgment as to whether you should be fined because you did nothing, or whether you’ve done enough that they think giving you advice and support will be enough.

How often should a business look at their GDPR policy to update it? 

At least annually because you may bring in new systems and may change your processes. You may change the data you collect so I believe it would be better practice to do it every three to six months. You’re going to pick up things as you change, them but you also need to look at key changes that affect GDPR. One of these is Brexit obviously now the UK has left the EU. We have become what’s known as a third party process now for EU data. It sounds a little bit complicated, but basically means that whilst we were part of the EU, any data we process on EU citizens is just processed as it normally would be under GDPR, now that we’ve left the EU, the EU have to decide if in the UK we’re okay to continue processing data on EU citizens.  That decision is going to be made at some point between the 30th of april 2021 and the 30th of june 2021. We don’t yet have a date and we don’t yet know what the decision is going to be, so at least up until the 30th of April we can carry on as normal. Every business this year should really be looking at things after that date and what effect the decision of the EU makes on whether or not they can continue to process data in the same way.

What what mistakes do you generally find with companies who’ve tried to do their own GDPR forms?

The key things that businesses miss out is generally a system that they’re using. They don’t think about their internal processes and who they’re sharing data with. Quite often you’ll find that businesses have an outsourced team of some description. For example  they contract someone to do their website maintenance who will have access to data within their business. They haven’t considered that as someone they’re sharing information with. 

Businesses do not really fully understand what it all means, so they go out and copy someone else’s policy, put it on their website and it’s completely irrelevant to their own business. It doesn’t show what they’re doing in their business, so they feel they’ve done it, but they haven’t actually understood the data in their business. 

There’s is also the misunderstanding of different types of data and the additional protections that are needed for special category data, which is things like health, race, religion, political views etc, which come into special category data. It needs extra protection and there are certain systems that you really shouldn’t be using if you’re collecting such sensitive data, because they’re not adequate enough. It’s these sorts of things that people generally don’t understand. Finally it’s the lawful basis for collecting data. Lots of people think that because somebody has given them their email address, maybe as part of an inquiry, that they are then legally allowed to do what they like with it but they’re not, if that person wasn’t told at the point they gave it to you that that information would be added to a marketing list. If the business then wished to contact them through it, then they can’t do it lawfully.

You must also only contact people in the context of their original email, say somebody inquired to your business saying they areinterested in purchasing a handbag and you then put them on a mailing list and sent them information on purchasing mugs, that’s not allowed. They were interested in handbags and there’s no indication that they’re interested in mugs and therefore you’re not actually complying with the rules at that point.

Is there anything else that people should know about GDPR?

Just that it’s important to do. A lot of people think oh they’ll never find me, it’s never going to be an issue, it’s too complicated. I think that it’s important that you do it, because a it gives people trust in your organization, the fact that you can show that you’ve done it and you’ve complied in every way possible it protects you as a business owner because the last thing you want is to have the ICO on your doorstep wanting to go through everything you’ve done in some form of investigation. It is a legal requirement, so we should all be trying to comply with the law as far as possible.

Where do people come to to speak to you and get guidance? 

I support people through what’s called the data audit process. We start off with a video or phone call where I ask lots of questions to fully understand what they are doing with data. I then write a report and look at what you need to do next.  I then gather together all of the background paperwork that’s going to sit behind your policy.

Sarah can be contacted via her website www.banksbusinesssolutions.co.uk if you would like help Understanding GDPR or have a policy made. 

You may also be interested in our film on writing a powerful business message.