The General Data Protection Regulations (GDPR) which come into force on the 25th May 2018, and it is fair to say that most SMEs are a little confused about what it means for them (if anything).
Whilst it is arguable that a well-run company with proper data protection procedures will have little to worry about, our view is that all organisations will need to review their procedures to make sure that they are seen to be compliant. That is not a bad thing and a review of the data you hold and why you hold it may be long overdue for some organisations.
The GDPR regulations set out specific obligations and requirements for data controllers and data processors, and you will need to have systems in place to cover these obligations.
Additionally, you can no longer assume that sensitive personal data of any type can be held without the knowledge and specific approval of the relevant individual, and therefore explicit consent may need to be obtained. Additionally, everyone now has the “Right to Be Forgotten”, although you must also be aware that there may be a legal requirement to retain critical information to meet your compliance, obligations.
However, there are many lawful bases set out in the regulations for holding personal data. These are:
(a) Consent: (as mentioned above) the individual has given clear consent for you to process their personal data for a specific purpose.
(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
(d) Vital interests: the processing is necessary to protect someone’s life.
(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.
You will need to work out which, if any, of these is a reasonable basis for holding personal data. However, beware of just relying solely on consent, as it can be an administrative burden and also leaves you open to people changing their minds. That would then leave you in a difficult position if it is in relation to data you want to hold, but would then have to delete.
Our best advice is not to ignore the GDPR. It may not require you to change much, but it is undoubtedly good practice to audit your current arrangements. There is no excuse for non-compliance.