Denre Bruins writes: On the 25th of May the General Data Protection Regulation (GDPR) will come into effect and it will be the worlds most comprehensive privacy law ever. It is there to protect the privacy of European citizens by restricting the processing of personal data to certain consents.
The European Union have written a 261 pages long document that only lawyers can easily understand the consequences of, but small businesses are expected to comply with these new rules. From what we gather, if you collect any information about your customers or even suppliers, GDPR will – in theory – effect you and the way you run your businesses.
GDPR is all about processing personal data, but what is considered personal data? Personal data is not only data that is commonly considered to be personal in nature (e.g., social security numbers, names, physical addresses, email addresses), but also data such as IP addresses, behavioural data, location data, biometric data, financial information, and much more. In short, personal data is any information that can identify a single individual.
Does this mean work email addresses are regarded as personal data? Unless the email address is an firstname.lastname@example.org, email@example.com, or any other not personal identifiable email address it will be regarded as personal data. For example my email address is firstname.lastname@example.org, which besides my first name also contains the name of the company I work for. This is clearly personal and should therefore be considered personal data.
If you are wondering if you can still send out marketing emails, it is the Privacy and Electronic Communications Regulations (PECR) you want to consult. PECR states that you must not send electronic mail marketing to individuals unless:
• they have specifically consented to receive marketing emails from you
• they are an existing customer who has bought a similar product or service from you in the past, and you give them a simple way to opt out of receiving your electronic marketing in every message you send.
If someone bought something from you, gave you their details and did not opt out of marketing messages, they are probably happy to receive marketing from you about similar products or services even if they haven’t specifically consented. However, you must have given them a clear chance to opt out both when their details were first collected and in every message you subsequently send. This rule means you may be able to email your own customers, even after GDPR comes into force.
What does it mean to “process” data? Per the GDPR, processing is “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.” Basically, if you are collecting, managing, using or storing any personal data of EU citizens, you are processing EU personal data within the meaning prescribed by the GDPR.
If you process any EU personal data make sure you:
- Have legitimate grounds for collecting and using the personal data, for example, details taken during an online order.
- Do not use the data in ways that have unjustified adverse effects on the individuals concerned, for example, a supermarket that knows I buy a lot of alcohol and then sells my data to a health insurance company.
- Are transparent about how you intend to use the data, and give individuals appropriate privacy notices when collecting their personal data.
- Handle people’s personal data only in ways they would reasonably expect.
- Make sure you do not do anything unlawful with the data, especially selling it without user consent.
- Give individuals the ability to view/modify/delete personal data collected.
What if personal data was unlawfully accessed? The GDPR introduces a duty on all organisations to report certain types of personal data breach to the relevant supervisory authority. You must do this within 72 hours of becoming aware of the breach, where feasible. If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, you must also inform those individuals without undue delay. You should also ensure you have robust breach detection, investigation and internal reporting procedures in place. This will facilitate decision-making about whether or not you need to notify the relevant supervisory authority and the affected individuals. Keep a record of any personal data breaches, regardless of whether you are required to notify.
If you’re a small businesses and do not harvest personal data, share it with third parties or supply to countries without data protection in practice not much will change for you. It’s the Amazon’s, Facebooks and Google’s that have to start worrying about the way they collect personal data about you and me. Nevertheless, if you want to make 100% sure you comply with GDPR you should consult your lawyer because every business is different.