GDPR Demystified For Sole Traders And Small Businesses: Part 1

by | Oct 15, 2018

Word Count: 2,456    Reading Time: 12 minutes

Welcome to a series of articles in which we attempt to explain in lay terms the GDPR and why it’s applicable to most, if not all of us. It’s a bit dull and soporific a subject, but hey if you’re reading it, then you probably need to know what it’s about….and might even make it to the end of the article!

What is GDPR and does it apply to you?

The General Data Protection Regulation came into effect on May 25th 2018 and supersedes the Data Protection Directive 95/46/EC and the UK Data Protection Act 1998. It applies to all persons and businesses that collect and process personal data within the European Union (EU) and the European Economic Area (EEA).

Furthermore, it applies to data collectors and processors located outside the EU and EEA who do, or may handle personal data of EU citizens and data controllers. Therefore you could say that GDPR applies worldwide in the case of internet services and international trade.

The primary objectives of GDPR are to give control back to individuals of their personal data and to establish unified regulations within the EU for international trade, which in turn may lead to greater transparency in relation to personal data worldwide.

It is important to realise that GDPR does not only apply to data collected from websites, but also social media, email and other business processes such as paperwork, correspondence and accounts. It applies to all forms of personal data irrespective of what means of collection were used. While GDPR is obviously highly relevant to online data collection, its core principle is the protection of personal data in any format.

Many have expressed discontent with the regulations regarding them as an unnecessary layer of bureaucratic control over individual rights and trade. I understand this view but prefer the perspective that if all data collectors and processors worldwide adopted the key principles of GDPR, we would all benefit. This would lead more in the direction of a greater degree of data privacy we have not been afforded to date.

Word Count: 2,456    Reading Time: 12 minutes


 

Welcome to a series of articles in which we attempt to explain in lay terms the GDPR and why it’s applicable to most, if not all of us. It’s a bit dull and soporific a subject, but hey if you’re reading it, then you probably need to know what it’s about….and might even make it to the end of the article!

 

What is GDPR and does it apply to you?

The General Data Protection Regulation came into effect on May 25th 2018 and supersedes the Data Protection Directive 95/46/EC and the UK Data Protection Act 1998. It applies to all persons and businesses that collect and process personal data within the European Union (EU) and the European Economic Area (EEA).

Furthermore, it applies to data collectors and processors located outside the EU and EEA who do, or may handle personal data of EU citizens and data controllers. Therefore you could say that GDPR applies worldwide in the case of internet services and international trade.

The primary objectives of GDPR are to give control back to individuals of their personal data and to establish unified regulations within the EU for international trade, which in turn may lead to greater transparency in relation to personal data worldwide.

It is important to realise that GDPR does not only apply to data collected from websites, but also social media, email and other business processes such as paperwork, correspondence and accounts. It applies to all forms of personal data irrespective of what means of collection were used. While GDPR is obviously highly relevant to online data collection, its core principle is the protection of personal data in any format.

Many have expressed discontent with the regulations regarding them as an unnecessary layer of bureaucratic control over individual rights and trade. I understand this view but prefer the perspective that if all data collectors and processors worldwide adopted the key principles of GDPR, we would all benefit. This would lead more in the direction of a greater degree of data privacy we have not been afforded to date.

What are the key principles of GDPR?

The most important principle is that individuals have complete control over their personal data and that their data is collected only with their explicit consent, rather than implied consent or without any consent. In addition, when collecting personal data it is essential to inform the individual who is collecting the data and for what purpose it is being used.

Simply put, you need an individual’s explicit consent to take any of their personal data and you must declare clearly who it is taking their data and for what purpose. This is at any point or step where you are requesting data, depending on your data processes and flow, you may need to gain explicit consent from the same individual more than once.

Explicit consent requires what the GDPR describes as a clear opt-in, not just an opt-out (especially as a default setting) or implied consent. If you are using pre-checked tick boxes or relying on someone pressing a send button without clearly explaining that data is being collected, for what purpose and by whom, then this is implied consent.

An opt-in is not the same as an opt-out, and is defined by GDPR as a mechanism provided for the individual to directly consent at each point of personal data collection, that is not pre-filled by default, and records their explicit opt-in consent for the data collection. Should it be requested by an individual or regulator, you must be able to demonstrate clearly the recording of the individual’s explicit consent to proceed with the data collection, at the time of collection.

Minimising personal data collection, storage and processing is another strong principle in GDPR. It requires us to evaluate how much personal data we do collect, what data is really necessary and how long data is required to provide our services and functionality to the individual. It is most important to know who we are sharing personal data with and if this is really necessary to provide services.

The aim should be to collect as little personal data as possible, only that which is essential to provide services, and collect no data at all, if possible. If you only need a first name or an email address to provide services, then take only that.

Article 25 of GDPR pertains to “data protection by design and by default”. Under GDPR organisations and businesses are strongly encouraged to design into their processes data privacy measures and safeguards from the very beginning. This is data protection by design.

Personal data should be processed with the highest level of privacy protection measures, by default. This means that only the minimum amount of data necessary should be collected and processed, with a short storage period and with limited accessibility. So that by default, personal data isn’t accessible to unauthorised data processors or any other third parties, without explicit consent of the individual. This is data protection by default.

What is Personal Data exactly?

As GDPR is all about protecting personal data, its important to understand what it is and that it includes data collected by automated and non-automated means. Unfortunately there is no definitive list of what is defined as personal data and what is not.

In reality, what constitutes personal data is subject to interpretation of the GDPR definition and how it applies in the context of the data collection, storage and processing.

Article 4(1) of GDPR defines “personal data” with clarification as follows:

‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Adding complexity to defining what is personal data, it is important to understand that each byte of data may or may not be an identifier in itself, but may become so when combined with other bytes of data relevant to the individual. Context and setting may affect the definition of any/and/or all bytes of personal data, not least when data is involved in behavioural analysis, profiling and data breach incidents.

The clever folks over at BoxCryptor (a Cloud services company) put together a good list of identifiers from everyday life to demonstrate the potential complexity and accuracy that can be achieved in identifying an individual. Please note that this list is not exhaustive and does not include digital identifiers such as IP addresses and cookie identifiers;

  • Biographical information including date of birth, marital status, social security numbers, criminal record, phone numbers, email addresses, residential address and bank information.
  • Looks, appearance and behaviour, including hair and eye colour, height, weight and defining characteristics.
  • Workplace data and information about education, including salary, tax information and student numbers.
  • Private and subjective data, including photos, religion and political opinions.
  • Health, sickness and genetics, including medical history, genetic data and information about sick leave and fitness data.

What are the Rights of Individuals under GDPR?

Under GDPR individuals are granted certain rights that may greatly affect your business and online processes, as listed below with brief explanations;

  • The right to be informed: Individuals have the right to be informed about the collection and use of their personal data. Inform individuals of your purposes for processing their personal data, retention periods for that data, and who you share the data with. This is ‘privacy information’ and is the key transparency requirement of the GDPR.
  • The right of access: Individuals have the right to access their personal data and must be able to do so verbally or in writing, on or off-line. Requests to access personal data must be actioned within one month maximum, it is however advisable to action in the shortest time possible.
  • The right to rectification: The individual’s right to have inaccurate or incomplete personal data corrected and made complete. This right is linked to the data controller’s obligations under the accuracy principle of the GDPR (Article (5)(1)(d)). An individual must be able to request rectification verbally or in writing, on or off-line and must be actioned within one month maximum.
  • The right to erasure: The individual’s right to have personal data erased, commonly known as the right to be forgotten. An individual must be able to request erasure verbally or in writing, on or off-line and must be actioned within one month maximum. This right applies in certain circumstances only and is therefore not absolute.
  • The right to restrict processing: The individual’s right to request the restriction or suppression of their personal data. If processing is restricted you have the right to store it, but not use the data. An individual must be able to request restriction or suppression verbally or in writing, on or off-line and must be actioned within one month maximum. This right links to the right to rectification (Article 16) and the right to object (Article 21).
  • The right to data portability: The individual’s right to obtain and reuse their personal data for their purposes across different services and platforms. The individual must be able to move, copy or transfer personal data from one IT environment to another in a secure manner, without affecting data usability. This right only applies to information an individual has provided to a data controller. This right must be actioned within one month maximum, however this is extendable according to the nature and complexity of the data requested. In addition, such requests may be rejected under certain circumstances. Additional reading on this right is thus highly recommended.
  • The right to object: The individual’s right to object to the processing of their personal data in certain circumstances, and including the absolute right to stop their personal data being processed for direct marketing, on or off-line. Individuals must be informed of their right to object. An individual must be able to make an objection verbally or in writing, on or off-line and must be actioned within one month maximum. There are circumstances where data processing may continue despite an objection, if it can be demonstrated there is a compelling and legally justifiable reason for doing so.
  • Rights in relation to automated decision making and profiling: As described by Article 22 of GDPR, provisions for rights in the cases of:
    • Automated individual decision-making (making a decision solely by automated means without any human involvement); and
    • Profiling (automated processing of personal data to evaluate certain things about an individual). Profiling can be part of an automated decision-making process.
  • The GDPR applies to all automated individual decision-making and profiling processes and procedures. Solely automated decision-making that has legal or similarly significant effects on individuals has additional rules to protect individuals rights. Such decision making processes can only be conducted where the decision is:
    • Necessary for the entry into or performance of a contract; or
    • Authorised by Union or Member state law applicable to the controller; or
    • Based on the individual’s explicit consent.
  • It is essential to determine if any data processing falls under Article 22 and if so, ensure that:
    • Individuals are given information about the processing;
    • Provide simple mechanisms for individuals to request human intervention in the data processing, challenge or appeal a decision;
    • Conduct regular assessments to ensure systems described above are working as designed.

Are you a Data Controller or Processor?

As this article is for sole traders and SMEs only, in all likelihood you are a data controller, in that in the course of your business and online activities you are collecting, at the very least, individuals’ names and email addresses. The person or organisation collecting such data is a data controller, as defined in Article 4 of the GDPR;

‘Controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

In most cases a sole trader or SME will be collecting data, the processing of such data is most likely handled by a third party service provider such as Google or Mailchimp for example. The GDPR introduces, for the first time, direct obligations for data processors to data subjects or individuals.

This is why big players like Google, Paypal and Mailchimp (examples only) have been working to achieve GDPR compliance. They are now subject to regulatory penalties and civil claims by individuals pertaining to data processing and protection. Article 4 describes data processors;

‘Processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

What is a Data Protection Officer and do I need one?

If you are a sole trader or SME, depending on the type of business activities, in all likelihood you do not need to appoint a Data Protection Officer (DPO). Most likely you need to designate a named data controller, possibly yourself. There are circumstances under which data processors and controllers must appoint a DPO, as described by Article 37(1):

(a) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;

(b) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or

(c) the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10.

As most people reading this article are unlikely to need to appoint a DPO we won’t go down that rabbit hole!

Okay, so you made it this far, well done…that concludes Part 1.

In Part 2 we will delve deeper into the actual things you need to do as a sole trader and SME to your website(s) and other data collection mechanisms such as social media, email and mailing lists. We will also discuss some of the technical difficulties in complying with the GDPR for small operators.

This website uses Cookies, to give you the best experience and analyse our website traffic. Agree to Cookies by clicking the 'Accept' button, or visit Cookies explained here to read more and set your cookie category preferences.