Businesses struggle with GDPR deadline
Is your company GDPR compliant? With two months to go until it becomes law, reports are indicating that most are not – with smaller businesses feeling the heaviest burden.
GDPR (General Data Protection Regulation) is the data protection reform instigated by the European Commission in January 2012 and will apply to any organisation operating within the EU. It comes into effect on May 25, 2018 and even with the UK set to leave the EU on March 29, 2019 the UK Government says GDPR will be enforced in this country.
Law firms are quoting between £2,000 and £5,000 to help businesses navigate their way through the regulations, but with many grey areas relating to exactly what is expected of businesses, the situation remains confusing.
Tom Vincent co-founder of 200 Degrees (pictured right), which has six coffee shops and supplies wholesale, told Coffee Business World: “We see one of the biggest issues being with employee information, identifying exactly where all the information is stored and what to do if, for instance, a former member of staff raises a grievance at shop level. The manager needs to respond correctly and we will need to provide the data, or evidence that it has been deleted.”
Vincent continued: “We will be changing our company policy and staff handbook to make it GDPR compliant and bring in new policies for CVs, etc. In the past, if someone sent you a CV it wouldn’t be a problem to keep it on file, but now we’ll need to ask permission and state how long we will keep it for and why, plus make sure it’s deleted on the deadline, which means processes need to be applied to make sure data is deleted on the date.”
200 Degrees also holds 25,000 email addresses, gathered from customers logging into their shops’ wi-fi. “Between now and May we will need to act to make sure all the data we’re holding complies. We’re lucky because most of our customers are regulars, therefore they’ve ticked the right boxes and have understood that we’re gathering their data and what we’re using it for. However, for older data and where people don’t respond to follow-up emails from us, I suspect we will just delete it.”
Chris Hollins, director of Buzzing Lab Solutions, described the implementation of GDPR as a “complete and utter mess”, with no clear direction – due to the legislation still being in draft form despite becoming law in May.
Esquires Coffee said it was moving away from hard servers in favour of storing data in the cloud, which is encrypted and more secure. Managing director Doug Williamson said: “We also restrict access, with the level of security for consumer data encrypted, with only one or two people having access.
“Our IT guys are on top of this – moving our data into the cloud six months ago. Also, the new EPoS system we’ve introduced requires customers to register themselves online, with all the information stored in the cloud.”
Vincent concluded: “I expect there is a lot of scaremongering from solicitors, but the biggest problem is the unknown. What will be the gold standard? Big fines are looming for businesses not complying - and ignorance is no defence. If there’s a breach of security, say a laptop is stolen, the data upon it needs to be secure or can be deleted remotely. As a small company, we don’t have an IT department to tell us.”
The key aspects of GDPR apply to:
- Personal data held by a business, including employees and customers.
- Sensitive personal data, as might be held on employees, existing, past and prospective.
- The requirement for the controller or processor of data within a business to review all existing processes, identify the most appropriate ‘lawful basis’ and check it applies.
- The need to inform people upfront about your ‘lawful basis’ for processing and holding onto their personal data, namely, getting consent before any data is processed and explaining why you want it and how you’re going to use it.
- The controller or processor of the data must keep a record of how and when an individual gave consent, with individuals given the right to withdraw that consent at any point.
- All consents to hold personal data must be ‘active’, which means they must actively opt in, therefore all pre-ticked boxes or opt outs will fall foul of the regulation.
“The drivers behind GDPR are two-fold. Firstly the EU wants to give people more control over how their personal data is used… and secondly, the EU wants to give businesses a simpler, clearer legal environment in which to operate, making data protection law identical throughout the single market,” says ‘What is GDPR? Everything you need to know before the 2018 deadline, IT Pro. http://www.itpro.co.uk/it-legislation/27814/what-is-gdpr-everything-you-need-to-know
- For more information check out: https://www.econsultancy.com/blog/69253-gdpr-10-examples-of-best-practice-ux-for-obtaining-marketing-consent
- Report in IT Pro, with data from Vanson Bourne on behalf of Claranet. http://www.itpro.co.uk/data-protection/28029/latest-gdpr-news-uk
- Tom Vincent and Doug Williamson are members of European Coffee Expo’s Steering Panel.