GDPR seems to be on everyone’s lips and a recent business survey revealed that it’s overtaken Brexit as the top concern of businesses. This article looks at what is and isn’t important and provides some practical tips for dealing with the GDPR conundrum.
GDPR (the General Data Protection Regulations) is in force from 25th May 2018. With the maximum fine for breaking the rules being €20m or 4% of sales, whichever is higher, the authorities have plenty of ammunition for getting businesses to take it seriously. At the same time there is a lot of rubbish talked about GDPR. In this article I will try to unpack some of the main points.
Whilst for most installers GDPR does not represent a big threat, for Powered Now it’s different. We have to take it very seriously as we already have hundreds of thousands of personal records in our system and aspire to have millions. As a result, we know a lot about it.
1. Remember, GDPR is not that unreasonable
We have been conducting quite a bit of training recently on GDPR. We start by asking our people about the company they most dislike. Then we tell them to imagine that this company has their personal details. Then how would they like that company to treat those details? We’ve found that the very things they say, like not passing their details to third parties without their agreement, are the core GDPR principles. That’s fascinating.
It’s worth noting what those core GDPR principles are, relating to personal details which must be:
•Collected and used for a specific reason;
•Limited to what is necessary;
•Kept accurate and up to date;
•Kept only as long as is necessary;
•Protected from hackers appropriately;
•There must be a publicly stated lawful reason for the processing.
Actually, this is all quite reasonable.
The Information Commissioner’s Office (ICO), which is the UK government organisation tasked with enforcing GDPR, says that they won’t fine businesses that have tried to comply but got something wrong. There will just get a warning. They also say that fines won’t be big enough to put offenders out of business. Again, that’s reasonable.
So, what should you do, given that the rules apply to anyone storing personal data on paper or computer? That includes pretty much every installer.
Well, with over 5 million businesses in the UK all of whom will store some personal details, the ICO won’t be focussed on small businesses for quite a while. However, even under the old regime a nursing home that lost just 75 personal records was fined £15,000. To get an idea of the actions the ICO can take, you can look at their enforcement record on their web site. I found it amusing that among those slapped on the wrist for data violations were three police forces and the justice department!
Reporting any data loss of personal details to the ICO is mandatory. Having said that, installers don’t store any of the really sensitive personal data like medical records, sexual orientation or political views, nor hopefully do they store payment card details. Smaller companies tend to have hundreds of customer records, not tens of thousands. All of this makes them much lower risk than many other organisations and therefore of much less interest to the ICO who have much bigger fish to fry.
2. Get your simple cyber-security right
Leaving aside the detailed regulations under GDPR, you should make sure you do take a number of basic precautions to protect your data:
•You should make sure all of your computers are secured with a non-obvious password, especially laptops which can easily be lost or stolen. You should not use the same password on more than one machine or account.
•You should try to use software from serious companies that know about GDPR and have people dedicated to security.
•If you have a computer network, it should be “locked down” with a firewall that doesn’t allow anything nasty in. Your local IT company should be able to help with that. If you are a larger company you should have penetration tests (“pen tests”) performed by a third party to check if you have any obvious vulnerabilities for hackers to exploit.
•You should have up to date anti-virus software on every machine.
•You should make sure both you and your staff are aware that any unexpected or unusual emails are suspect. Spoofing an email address so that it appears to have come from the boss is a common technique used by fraudsters.
•Personal data, including email addresses, should never be left around on memory sticks and particularly not on web sites.
•Update all of the software you use on your PC, Mac and mobile devices when you get offered the chance. All software companies are constantly fixing security vulnerabilities and you put yourself and your data at significant risk when you stay on old, vulnerable versions.
These precautions will hugely reduce your risks under GDPR. It’s also plain good practise for your business too as it reduces your risk of being hacked and extorted, which can be very painful.
3. Document your processing
In my opinion, if you are careful about keeping information secure, in reality you have gone a long way towards complying with GDPR, although that alone wouldn’t make you compliant. You should document what data you hold and make sure that you have a legal basis for processing it in every case.
The biggest area of confusion about GDPR is “consent” which is where the most rubbish is talked. Some articles I have seen suggest that you need consent from your staff to hold their details in your payroll system! This is far from the truth and is frankly ridiculous. Unless you don’t hold their details you can’t pay them and your contract with them says you must.
GDPR says that you need to have a legal basis for holding any personal data about individuals. There are six defined legal bases of which consent is just one. Of the six that can be used, but you will very likely only use the following four:
•Contract – for instance you have a contract with a customer and there are things you have to do to fulfil that contract, such as turn up at their address and ask for them by name so you can do the work
•Legal Requirement – for instance, you have to legally keep records of your business financial transactions for 6 years after your tax year end, and your invoices will have a person’s name and address on them which you must keep
•Legitimate Interest – you have a legitimate interest in processing the data, although you have to justify this. An example of the use of Legitimate Interest is in sending a reminder about a service being due
•Consent – for example where you want to send a regular marketing newsletter to a person who has not yet become your customer
What is pretty clear is that if you want to “cold market” to people who aren’t already your customers by email, electronic messenger or forms of telephone calling, it must be done on the basis of consent. That probably doesn’t impact many trade companies. If you want to send customers reminders of gas safety certificates expiring or warrantees coming to an end, or even of a special deal because you are quiet, then you can almost certainly depend on your legitimate interest.
This article is too short to go into the full GDPR regulations - it’s fairly complicated to embrace data protection “by design and by default”.
Any software supplier you use should be able to help you to comply. My recommendation is that you ask them to help.