However there are many small businesses in the visitor economy sector that are not aware that the regulations apply to them and are unintentionally not complying with the law.
Just to clarify, before you skip over this section, GDPR is massive in scope and applies to any business that captures, stores and or processes personal data. It most likely applies to your business.
We’ve attempted to get rid of the jargon and simplify what it is and what it means to you and have created a check list for you to follow so that you can put a process in place to protect your customer’s data and your business.
We’ve also included some great hints and tips on keeping your systems secure from scammers and hackers.
What is GDPR and why was it introduced? In these sessions we will explore the basic principles of GDPR and what our rights and obligations are. We will look deeper into the importance of contracts and consent, data security, data breaches and the roles of governance and accountability.
The General Data Protection Regulation (GDPR) replaced the Data Protection Act 1998 in the UK and has been brought in to ensure tighter controls on how personal information is used and to ensure uniformity across the European Union. Even though we have formally left the EU, the legislation still applies in the UK.
Essentially, GDPR is intended to protect all our personal Information, to ensure it doesn’t get into the wrong people’s hands through negligence or other means.
The new act, known in the UK as the General Data Protection Act 2018, introduced a number of obligations and it is important for businesses to be aware of these as potential fines for infringement are substantial.
What do we mean by personal data?
It’s anything that relates to an identifiable person such as name, address, email, telephone number, IP address, any form of ID.
Where data is held it must be anonymised to ensure that individuals can’t be identified by their physical, physiological, genetic, mental, economic, cultural and social factors. Or for more sensitive categories such as racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union memberships, health matters, sexual orientation or genetic or biometric data.
Who do the regulations apply to?
The GDPR applies to anyone who handles someone else’s data – whether they are ‘data controllers’ which means that they own the customer relationship and control how and why data is processed, or ‘data processors’ who handle and act on data on the controller’s behalf.
It is very likely that anyone in the Visitor Economy Sector is a Data Controller and as such, will need to register with the Information Commissioner’s Office (ICO). Depending on the services you provide you may also be a data processor. You can check and register your business on their website.
As customers, employees, members and associates we are also affected by GDPR and are known as data subjects.
What do you need to know?
The principles behind the legislation
It is important that you understand the principles behind this legislation as this will help you interpret your requirements and liabilities effectively, rather than seeing this as an annoying tick box exercise that you simply must adhere to.
Everyone responsible for using personal data now has to follow strict rules called ‘data protection principles’. This means that they must ensure that any information held about 3rd parties is:-
- Used fairly, lawfully and transparently (i.e. for contractual or legal reasons; where it’s in the public interest or as part of public duty; general client, potential client or employee data where they have opted in)
- Used for specific, explicit purposes
- Used in a way that is adequate, relevant and limited to only what is necessary
- Accurate and kept up to date
- Kept for no longer than is necessary
- Handled in a way that ensures appropriate security, including protection against unlawful or unauthorized processing, access, loss, destruction or damage
The rights of the data subject
In addition to this, where you do hold personal data, people must have given explicit consent for you to do so, and you must make it easy for them to both check the data you hold about them and to withdraw their consent (note: you can refuse or charge for requests that are excessive or unfounded, but in general no charge can be made for an access request).
If they do ask to be removed from your records or for their data to be amended this must be done swiftly.
They can, in addition, restrict how you process their data (for example they might be happy for you to hold details required to process a booking or an order, but not to send them marketing materials) and who you share this data with (for example other 3rd parties that are not relevant to the specific order).
Parental consent is required for any data that is held on a child under 13 years of age.
Communicating this information
And all of the above needs to be communicated to the data subjects before any data is taken and in simple, straight forward language. You can communicate this through: –
- A telephone conversation or in person (but you should record this)
- Your website via a Privacy Notice
- As a printed document (you should record that you have done this or ask for this to be signed as confirmation of receipt)
It is the responsibility of the data controller and data processor to do all possible to protect data from being lost, stolen or misused.
This means physically: –
Manual records are arguably easier to protect than digital records as they can be restricted to private areas and physically locked away.
Where data is held digitally and particularly when it is available on a network it is much more accessible and open to attack. It is the responsibility of the data controller and processor to:-
- Create secure passwords that are: –
- Required to access individual computers, laptops, tablets, mobiles
- Required to access sensitive areas of the system where data is held
- Strong, unique and changed regularly
- Ensure all computers, laptops, tablets and mobile devices are kept up to date with: –
- All software updates
- Up to date anti-virus software
- Secure firewalls
- Protect internet routers with firewalls
- Restrict access to your system by creating a guest Wi-Fi with a separate access point to your router
And through developing robust processes, policies and forms for your team including: -
- A personal data protection policy for your organisation
This will explain the expectations and requirements of your employees in order to keep data safe
- A privacy notice for the wider public
This explains how you apply the principles, what the public can expect of you and who they can contact within your organisation
- An employee privacy notice for your staff
This explains to your staff what data you hold and how and why you process this information
- A data retention policy and schedule
This outlines how you capture, organise and store the information, how long you will keep the information and how you will dispose of it when it is no longer needed
- A data subject consent form
This will enable you to record consent to you holding the data you hold
- A supplier data processing agreement
This is a form of contract that will explicitly lay out how the data must be managed, stored, transferred and deleted
- Data Impact Assessment
This records your assessment of how you are complying with GDPR regulations and should be applied at any time you significantly change a product or service or introduce new technology to process your data
- Data breach response and notification procedure
This will spell out the steps you will take in the event that there is a data breach
- Data breach register
This will record all data breaches – even minor breaches that do not have to be reported
- Data breach notification – for the ICO
- Data breach notification – for data subjects
- Data access request form – for data subjects
- You must record any data breach and be able to demonstrate action taken to prevent a similar breach from taking place again.
- If any such breach has the potential to damage someone’s reputation, cause financial loss, result in discrimination or other disadvantage then the Information Commissioners Office (ICO) must be notified within 72 hours of becoming aware of the breach.
- If the breach is high risk, then your data subjects must also be notified.
Whilst standard policies forms and templates can be purchased on-line, we recommend that you create your own documentation and tailor them to your business. It’s a good exercise to check how your business complies and what changes might need to be made to ensure compliance. In many instances, businesses have found that their systems and processes have improved by going through this process as it makes them question why they do what they do and can eliminate non value adding activities for them and their customers.
In this first of three General Data Protection Regulations (GDPR) masterclass videos, Guy gives some context and background to these very important regulations. By the end of this video, you will understand how GDPR applies to you as a consumer and, most importantly, to your business.