Unless you’ve been living under a rock for the last couple of months, you’ll have no doubt heard about GDPR and the new legislation that comes into force on 25th May 2018.
With what seems like an entire world of information being thrown at businesses, you’re probably unsure what the European General Data Protection Regulation means for you? While it might seem complicated at first, we’ve broken down the main points here to make it easier to understand.
What is GDPR?
The GDPR, or General Data Protection Regulation, comes into force in May 2018 and replaces the 1995 Data Protection Directive. It’s a wide-ranging regulation designed to protect the privacy of individuals in the European Union (EU) and give them control over how their personal data is processed, including how it’s collected, stored and used. It affects every company in the world that processes personal data about people in the EU.
What does GDPR mean?
Although GDPR might seem scary at first, many see it as a positive step forward for data protection. Some of the key areas GDPR covers are:
- Personal data about EU-based people (absolutely all of it)
This includes your customers, employees, suppliers and any other individual you collect personal data from. Personal data includes names, contacts, medical information, credit card or bank account details and more.
- How you collect personal data
You can only collect personal data if you have a legal reason to do so. You might need it for a sales contract, for example. Or your customer may have asked you to send them some information on your product or service. In all cases, you must make it clear what the personal data will be used for – and only use it for that purpose.
- User contracts and terms and conditions (on websites, for example)
These need to be simple, clear and easy to understand – with no complicated legal text.
- The right to know
Individuals can ask a business what information is being held about them. This isn’t a new right, but organisations must now respond within one month and can’t charge a fee (which they used to be able to do).
- The right to erasure
Customers can ask a company to delete all stored personal data about them, unless the company needs to keep that information for legal reasons, such as tax.
- Data portability
Individuals can request a digital copy of their personal data to use however they like, including transitioning to a new service provider.
- Data breach
You’re obliged to report certain types of data breach to the relevant supervisory authority.
The UK government will be replicating GDPR into UK law prior to Brexit, so if you’re a UK company, Brexit won’t impact your obligation to comply.
GDPR and data protection
It’s important to understand the spirit of GDPR. The legislation came into existence because of the way personal data has been treated in the past. Many companies treated personal data as a resource they could utilise without regard to the rights of individuals.
For example, some companies sold customers’ email addresses, allowed sensitive data to be seen by unauthorised people, and failed to adequately protect data against hackers.
GDPR gives control of personal data back to the people who own it and requires organisations to make data protection a core part of their operations and processes. This is likely to affect big, data-driven organisations first. But small businesses aren’t exempt. We’ve set out some steps below that you can take to make sure you’re prepared.
Goes GDPR affect data security?
Data security is a big part of GDPR. If you process personal data of people in the EU you have a duty to keep it safe so it’s important to ensure that any personal data held by you is securely stored.
GDPR also governs where companies store personal data, and what safeguards you must have in place in order to store and process that personal data outside of the EU. For example, if you’re transferring personal data to a US-based company (that will store and process it in the US), you should check that they’re certified with Privacy Shield, which is a mechanism designed to allow data transfers from the EU to the US.
Summary of GDPR for small business
There are many aspects to GDPR, but it really boils down to being clear and ethical with the personal data you process – that means treating it as you’d treat something valuable of your own. Some initial practical steps you can take to get GDPR compliant are:
Check products and services
- Check which of your products or services collect and process personal data.
- Ensure you have a legal basis for the processing of personal data.
- Ensure you can comply with the obligations to your customers as set out in the GDPR (such as the right of access and the right of erasure).
Review notices and contracts
- Update your internal and external notices for GDPR compliance.
- Ensure your customer contracts are GDPR compliant.
- Make someone in your organisation responsible for data protection and privacy.
- Consider whether you need to appoint a Data Protection Officer – check out the ICO’s guidance for more info.
- Provide data protection training for staff.
Take care over security
Ensure systems that collect, process and store personal data are secure.
GDPR resources for small businesses and advisors
You can get useful information on GDPR from:
- The UK Information Commissioner’s Office (ICO) – 12 steps to prepare for GDPR.
- The Federation of Small Business (FSB) – How to prepare for GDPR.
- And, if you’re an advisor to small businesses, the Institute of Chartered Accountants in England and Wales (ICAEW) have a complete GDPR resource centre.
GDPR & Xero
Many of our new and existing clients moving to or using Xero have asked about the security and of privacy the software. We’ve provided an update from Xero below for your piece of mind.
We take our responsibilities under GDPR seriously. That’s why we’ve embarked on a programme to identify which measures we need to implement to be compliant with GDPR, and are working to implement them in time for 25 May this year. Here is a quick summary of what we’ve done to date:
- We conducted a comprehensive GDPR audit and gap assessment. Following the gap assessment, we created an internal roadmap to work towards compliance with GDPR by 25 May 2018
- Our product and security teams have identified necessary changes/improvements to our product and are working to implement those
- We conducted a comprehensive data-mapping exercise that tracks personal data flows throughout our systems and services. We are in the process of finalising the data maps
- We are well underway with engaging all key third-party vendors to make sure we have the appropriate contractual protections in place that satisfy GDPR requirements
- We’re refining procedures to deal with some key data subject rights, like subject access requests and the right to request deletion
- We’ve produced a GDPR compliant Data Processing Addendum (for more information see the FAQs below)
- We’ve updated our privacy notice to be GDPR compliant as well as more clear, concise and transparent about how we process personal data
- We’ve updated our incident response procedures to bring them into line with GDPR
- We’ve implemented a company-wide data protection training module for all Xero personnel
- We’ve implemented a data protection impact assessment procedure and integrated that into our system and product development
If you need help with your accounts or bookkeeping, we’d be happy to help. Perhaps we can help organise your accounts with a free month of Xero?
Thanks for stopping by,