Small business responsibilities
A lot of small businesses approached GDPR as a box-ticking regulatory exercise; a one-off job dumped as yet another chore on the office manager. We talked to a lot of people who suddenly found themselves responsible for information security. The default position was to pass the whole thing over to IT support and rely on their assurances or else, budget permitting, the problem could be sent to the lawyers.
In fact, as a lot of people we talked to realised (though their bosses often didn’t), this outsourcing approach doesn’t come anywhere near to meeting the requirements. Office managers who can find the time to familiarise themselves with the GDPR can see that its implications reach beyond marketing and the website, right across the business and into every department.
At a minimum, all businesses now have a legal responsibility to identify the personal information they hold, why, where, for how long and on what legal basis it is held. And, they must know the risks posed to any individuals about whom they hold information and take precautions to mitigate those risks. Even more onerously, unless they have very good and clearly documented reasons not to, they must hand over any and all the information they hold about any individual who asks for it: and do this in a way that does not infringe the privacy of any other individual.
Mostly cosmetic changes so far
As with other regulatory and legal obligations, all of this is the responsibility of company directors — though this is not well understood amongst many of the small organisations we work with. GDPR compliance is not something that can be handled by an office manager working alone, and directors are often reluctant to get involved and even more unenthusiastic about allocating any additional resources to meet the challenge.
The result? A lot of small business tend to concentrate only on that tiny tip of their information iceberg with public visibility: the website.
Companies have updated their privacy and cookie policies and are taking a lot of care about getting consent when harvesting personal information from their websites. But beneath the surface, in many cases, very little has changed. The mass of personal information stored and processed by almost all small businesses remains the same chaotic, unidentifiable and insecure jumble it was prior to May 2018.
In our experience, cosmetic adherence aside, small businesses are yet to take GDPR seriously.
Data protection starts to matter
Does this matter? Generally, companies try to avoid breaking the law and ignoring GDPR is doing just that. At the same time, there doesn’t seem to have been much in the way of enforcement action over the past year (91 fines across the whole EU), which risks giving the impression that the authorities aren’t taking this seriously.
On the other hand, the €50 million fine recently levied on Google by the French data protection regulator ought to give pause for thought. In fact, it’s worth thinking back to what the Information Commissioner’s Office (ICO, the body responsible for GDPR enforcement in the UK) was saying a year ago, i.e. that companies shouldn’t see GDPR as a big bang change but rather as something to which they needed to adapt. One year in we can expect to see the phony war come to an end and data protection enforcement get underway in earnest.
GDPR is not going away
It’s worth remembering too that Brexit, should it happen, is not going to reduce the burden. The UK Data Protection Act 2018, which supersedes the 1998 act and came into effect alongside GDPR in May 2018, implements GDPR in British law, even leaving aside the EU withdrawal bill which is intended to transpose all EU law into British law. In fact, things could become even more complicated if Brexit does go ahead, as UK firms for the foreseeable future are likely to have to comply with both EU and UK data protection legislation.
A lot of smaller businesses have stopped thinking about GDPR. This is a mistake: whether we like it or not GDPR is changing the way companies manage information and, as a result, the way they do business.
What have we learned?
This time last year there was a lot of panic and misinformation and, inevitably, a lot of ‘compliance experts’ looking to cash in on the confusion. Now, we know a lot more. Probably the most important thing we have learned is that the ICO is at least as keen on helping organisations to comply as it is on punishing those who don’t.
So, this article is emphatically not intended to suggest that Armageddon is coming (again); rather it is intended as a reminder that companies do still have to take this seriously.
What should your organisation be doing now (assuming it is not already completely up to date on GDPR)?
Probably the most important thing to understand about GDPR is that it is a risk-based approach to information security rather than a standards or compliance based method. What this means: firstly, that it’s bordering on meaningless to talk about GDPR compliance. Secondly, and more importantly, that it’s your responsibility to know the risks to your company and to the people about whom you hold information should you suffer an information breach.
In order to understand the risk, you need to know what information you are holding. So, there are two key tasks every organisation should have completed and documented by now:
1) an information audit (what have you got and where is it?) and
2) an information risk assessment (a Privacy Impact Assessment in GDPR language).
The ICO wants to see companies moving towards a secure information culture and is explicit that any enforcement action will take into account efforts made to achieve security.
An organisation that has not carried out these two basic steps would rightly be seen as having made zero effort.
Having identified and documented what information you hold, where it is and the risks it poses means you are in a position to satisfy any data subject access request you might receive. The process also gives you a chance to consider (and document) the legal basis on which you are relying to justify holding the information. You will recall from last year that consent is not the only legal basis on which information can be held. Whatever legal basis you are using must be documented. It has been interesting to watch the developing approach to the question of legal basis over the last year:
- We need consent for all the information we hold.
- Hold on — in fact, we can rely on something else like contractual requirements or regulatory requirements, though we still need consent for marketing.
- But wait, don’t we have a legitimate interest in holding all this information? Let’s go for that.
At first glance, legitimate interest looks like a get out of jail free card and so a lot of organisations have used it as a catch-all basis to cover the information they hold. Now, remember you need to document your legal basis and it turns out that legitimate interest is tricky to document. If you are going to rely on legitimate interest, you need to carry out and document a three-part test as follows:
- Identify the legitimate interest. These might be your own commercial interests, those of a third party or even society.
- Demonstrate that the way you will hold and process the information is necessary. If the same results can be achieved in another way, legitimate interest does not apply.
- Balance your interest against the individual’s. Their legitimate interests override yours if they would not reasonably expect you to process their information or if it would cause them unjustified harm.
The critical point is that you must document this test and your reasoning for each part. This test often means contract, regulation and/or consent are more watertight.
Don’t forget PECR
There is another little problem with relying on legitimate interest for marketing. You can successfully apply the three part test to, say, an email address used to send marketing but — and here’s the catch — only if you already have the consent of the individual concerned or if the email address belongs to an existing customer or someone with whom you have previously negotiated or done business and you have given them the chance to opt out of your marketing communications.
If you’re thinking this seems to make the legitimate interest test somewhat redundant, you’d be quite right. The reason for this apparent glitch is that the consent being relied on here is not the one mentioned by the GDPR but the one required by the Privacy and Electronic Communications Regulations (PECR, 2003).
You have needed consent for email marketing since the PECR came into effect fifteen years ago. The difference now is that the GDPR has changed the definition of consent so that companies can no longer rely on negative or ‘opt out’ consent. Instead, positive or ‘opt in’ consent is required.
So, as you can see, legitimate interest is not quite the easy way out it first seems. In fact, GDPR itself remains quite demanding and is likely to become more so. If you are an office manager and GDPR and data protection has found its way onto your desk we hope that this article will help you make the case to your boss that the problem hasn’t gone away and that you might need some help to keep your firm on the straight and narrow. We haven’t, by any means, covered all the new responsibilities imposed by GDPR but we hope we have given you a starting point. And if you’d like to know more, we’re always happy to chat.