NOTE: This checklist is intended as general guidance and no action should be taken in reliance on it without specific legal advice.
Introduction
If UK or EU companies acquire, store or use personal information in any capacity they must be UK/EU GDPR (The General Data Protection Regulation) compliant.
The GDPR has applied across all EU member states since 2018, the aim of being to give people more control over how their personal data is used and provide a clearer legal framework.
Does the GDPR still apply to UK companies?
The GDPR is retained in domestic law now the Brexit transition period has ended, but the UK has the independence to keep the framework under review. The ‘UK GDPR’ sits alongside an amended version of the DPA 2018. The key principles, rights and obligations remain the same and data can still flow freely from the EEA because the EU has agreed to delay any potential transfer restrictions for at least four months, which can be extended to six (known as the bridge). If during the bridge period an adequacy decision is made which currently seems likely the transfer of restricted data will be allowed to continue.
The Scope
UK GDPR requirements apply to all businesses large and small, although some exceptions exist for SMEs. Companies with fewer than 250 employees are not required to keep records of their processing activities unless it’s a regular activity, concerns sensitive information or the data could threaten individuals’ rights.
Most companies retain personal information about their customers and other stakeholders, such as, email and financial details. As a consequence, they need to be UK GDPR compliant regardless of size.
This checklist provides some guidance on the areas that SMEs should be aware of.
1. The Key Parties
GDPR introduces two terms to describe the person, company or organisation that is collecting and processing data.
Data controller
The person or business that determines how and why personal data is collected. The data controller must ensure the business is fully compliant with UK GDPR – including transparency, data storage, data confidentiality and accuracy of data collected and stored. They are also responsible for notifying the Information Commissioner’s Office (ICO) if a data breach occurs or data is stolen or lost by your business.
Data processor
The person or business responsible for processing personal data on behalf of a controller. This encompasses anyone with access to personal information and who uses it in any way, such as creating and sending marketing emails. A processor must ensure data is processed in line with UK GDPR requirements and record processing activities. They must also ensure appropriate security when handling data.
2. Data Audit
Understanding the data your company maintains on clients, employees, suppliers and other stakeholders is a key requirement. If you do not already maintain and track details of the information you are gathering, carry out an audit on the data you keep.
Remember that under GDPR your company should only hold necessary data and only for an appropriate period of time, that is as short a time as possible.
When undertaking data audits ensure that you capture where “special categories of personal data” are being collected. Additional consent is required from an individual to store special categories of data on them.
3. Register with the ICO
Now you have an understanding of the personal data your Company captures, if you have not already done so, you are likely to need to register with the ICO.
Every organisation or sole trader who processes personal information needs to pay a data protection fee to the ICO, unless they are exempt. If you are unsure whether you need to pay the registration fee to the ICO complete the online questionnaire:
https://ico.org.uk/for-organisations/data-protection-fee/self-assessment/
4. Data Consent
Your company must obtain clear and explicit consent that is freely given by the individual before acquiring and storing personal data. This means clearly explaining what personal information your company is collecting and how it will be used. The individual must actively agree to this. If not, your company is not permitted to capture and store this data under any circumstances.
In practical terms, for SME technology companies this typically means:
- Implementing a Privacy Policy
- Implementing a Cookie Policy – when individuals visit your website information on them should not be collected via cookies without informing the visitors and allowing them to opt-out.
The clear and explicit consent required to capture personal information extends to data being collected as a condition of using a SaaS product.
In practical terms, this means ensuring that your company’s T&Cs/Terms of Service are UK GDPR compliant, that is, before using your service, clients explicitly consent to their data being captured as outlined within your Terms. Your company needs to record and be in a position to evidence that consent was provided.
5. Records Retention Policy
Companies typically build up databases of customer information in spreadsheets or more advanced CRM systems. Regardless of whether any data was captured prior to the 25th May 2018 consent is still required to maintain that data. Where consent was not provided at the time of capture your company should request that consent and unless it is provided, delete the data.
A records and information management policy should be implemented by your company that establishes and describes how staff are expected to manage company data from creation through to destruction. This includes details such as how long data can be stored for and what processes need to be carried out to ensure that data is not stored for longer than necessary.
Adoptech have made this easy, go to company, policies and select add new policy and from there you can quickly and easily create a records and information management policy.
6. Information Security
Create data protection and information security policies. These should include details of the principles, processes and frameworks being implemented to protect against unauthorised access to, alteration, disclosure, or destruction of the Company’s data.
Put in place an incident response plan that details the actions that will be taken in the event of a data breach. This may include notifying the ICO of the breach.
As a starting point for SME technology companies, Adoptech recommends implementing the following policies:
- Information Security Management
- Access Control
- Acceptable Use
- Records and Information Management
- Data Protection
7. Training Staff
A large proportion of data breaches are caused by employees. Statistics from the ICO during a 3 month period showed that 97% of data breaches were caused by human error, such as emails being sent to the wrong person. It is therefore important to train and remind employees on how to handle data and what to do in the event of a data breach.
8. Subject Access Request Plan
Any UK or EU citizen can request access to all the data you hold about them in its entirety, known as a Subject Access Request (SAR). This can be anything from referring to them in email messages to customer records and electronic notes. They also have the right to correct any inaccurate data you hold and to request you delete data entirely.
Dealing with a SAR is time-consuming especially if you do not have a plan in place on how to handle those requests. Having a Subject Access Request policy in place that can be shared with staff, suppliers and clients on how you will handle the request is also good practice.
9. TPRM – Third Party Risk Management
Check that your suppliers are also compliant with UK/EU GDPR. You can send them a GDPR compliance assessment to review how they handle data, security and storage procedures, and what type of data they handle. Contracts you have in place with suppliers should include the fact they are GDPR compliant and the right to audit their business to review their data process arrangements.
You can start working on your Third Party Risk Management assessment here.
Queries and follow-ups
Setting up all these policies and ensuring they reflect the specific needs of your Company can be time-consuming and overwhelming when you are focused on growing your business. Adoptech has made it easy, chat with a member of the team for more information or just visit our policy generator to get started.
