The GDPR (General Data Protection Regulation) applies to all businesses processing the personal data of people in the EU as part of a structured filing system; it’s not just for big business. If you hold the personal data of anyone in the EU (no matter where you or your business are located) as part of an organised filing system in your business, then the GDPR applies to you.
For the purposes of GDPR, personal data means any data by which a living individual can be identified, directly or indirectly. Therefore, personal data extends from details like name and contact information, to any information about that person by which they can be identified. Even if the person cannot be identified directly from the information, but can be identified indirectly, e.g. by a reference number, then the information will still be personal data.
For many small businesses, the most obvious examples of personal data that they may hold on behalf of individuals will be the personal information of their customers or clients. For some businesses this information may be quite limited and may only extend to contact and accounting information, but for others the information may be far more extensive. Where the business holds sensitive personal data, i.e. health or medical data or data relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership etc. more rigorous requirements apply.
An important point to note is that it doesn’t matter where the business is located, what matters is where the person to whom the data relates is located. Therefore, if your business is located outside the EU, the GDPR still applies to you if you regularly hold data on anyone in the EU in your business. The GDPR has worldwide effect.
Your obligations if you hold data on EU citizens
So, if you do hold personal data on anyone in the EU in your business, what are your obligations and what do you have to do to ensure that you are compliant with the GDPR?
- You have an obligation to ensure a proper lawful basis for processing the data and to provide information to the people who are the subject of the data – you can only hold data if you have a lawful basis for doing so in the first place. And when you do hold data the GDPR sets down very specific requirements on the information that you must provide to the people the subject of that data. This means you need to review your privacy notices on your website and the information that you provide to people when they start to do business with you or you collect the data from them. And of course, if you have employees, you must provide every employee with similar information about any data you hold on behalf of them.
- You have an obligation to use processors that meet the requirements of the legislation – whenever you transfer data out of your business you need to ensure that the people you are transferring it to will be compliant and that you have a suitable written legal agreement in place with them before you make the transfer. This includes anyone who has access into your business from outside.
- You have an obligation to keep data secure and to report data breaches. One of the biggest changes brought about by the GDPR is the introduction of the mandatory requirement to report data breaches to the Data Protection supervisory authority within 72 hours of becoming aware of the breach. These requirements highlight the importance of ensuring that your physical and cyber security measures are up to standard.
- You may have an obligation to appoint a data protection officer – the GDPR created the legal role of Data Protection Officer (DPO), a role with very specific legal duties and responsibilities and which must be given the necessary powers and resources to enable the role to be carried out effectively. Not all businesses will need to appoint a DPO but those coming within the criteria must do so and then publish the contact details of the DPO and notify the Data Protection Commission. A DPO must have appropriate expertise in data protection law and practice. You should be aware that once appointed a DPO can never be given instructions in relation to their data protection tasks and can never be dismissed for carrying out those tasks. Therefore, the DPO is a protected category of employment and any business should think carefully about whether they need to appoint a DPO and, if so, who to appoint.
- You have obligations relating to transferring data outside the EU – data cannot be transferred outside of the EU without adequate safeguards in place. There are a number of methods by which this can be achieved with the most common being the use of what are called Model Contract Clauses prepared by the European Council for this purpose. Where you transfer data in your business outside of the EU you should ensure that appropriate safeguards are in place and documented. This is particularly important where you use any cloud computing applications in your business. If you are using the cloud you should establish where that data is located in the cloud and, if it is transferred outside of the EU, that adequate safeguards are in place.
- If your business is based outside of the EU (and, of course, the UK may well come into this category after Brexit) and your business does not have a physical establishment in the EU, you must appoint a representative in the EU for your business as a point of contact for data subjects and regulatory authorities in the EU.
Click here to return to the GDPR Compliance Hub.