Four Points for Sole Practitioners and Small Business Owners to Consider
The provisions of the General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”) will apply from 25th May 2018, and has far reaching potential ramifications for the ways that sole practitioners, and other small business owners, process data in the future.
With that in mind, and with the deadline for compliance now just under six months away, here are four points to consider when implementing the GDPR in your firm.
1. What is the GDPR for?
In short, the GDPR is intended to regulate the processing (which includes the use and storage) of personal data. Personal data is information that can directly or indirectly be used to identify a person, such as name, location data and email addresses. If you want to process any of this data, and/or use it for a particular purpose, then you will either need to obtain the explicit, positive consent of the individual concerned, or show that the processing falls within one of the criteria of “necessity” set out in the GDPR.
This may have ramifications for the way in which you conduct your business. For example, if a person consents for you to use their data whilst you are providing a service for them, they may not be consenting for you to send promotional material, articles, or possibly even communicating with them in the future to touch base.
2. Consent or necessity?
Where possible, written consent ought to be obtained as soon as possible and, in any event, before you consider yourself to be instructed by the individual concerned. Whilst you should not make consent a pre-requisite to providing your services, it may be advisable to think carefully before relying upon a ground of necessity. If a person is reluctant to give you consent, they are unlikely to take kindly to your use of their data in any event!
Consent needs to be a conscious, positive choice, so no pre-ticked tick boxes. Where possible, provisions in your terms and conditions relating to consent should in clear and plain language, and should be pointed out to the data subject. The individual should also be informed of their right to withdraw consent. For the avoidance of doubt, the individual should also sign a declaration that clearly sets out that they are giving you their consent to process their data.
3. What about existing clients?
It may be that you are in a position where you do not have the consent of your existing clients, but do have the consent of your newer clients. You will likely want to ensure in due course that all clients have given their consent to your using their data. Keeping separate databases for your old and new clients (or clients who have given consent and those who have not) will help you to systematically obtain the consent of your older clients to avoid potential issues in the future. It will also ensure that you know which clients, if any, have withheld your consent, so you can deal with their data accordingly.
4. What do I need to do?
By and large, the GDPR is a significant “beefing up” of the current Data Protection Act, the GDPR nevertheless has similar aims, and principles in mind. If your processes and procedures are compliant with the law as it stands now, then compliance with the GDPR is more likely to be a matter of supplementing and enhancing what you are already doing, rather than a wholesale overhaul. Nevertheless, it is likely that you will need to supplement your existing policies, training and security measures, and review your storage and retention of data (including paper) in order to comply with the GDPR.
When approaching this task, it is worthwhile keeping the following in mind:
a. Do you obtain the consent of your clients to use their personal data? If so, is their consent given positively (opt-in rather than opt-out) knowingly and willingly? For example, are consent clauses in your terms of service written in clear language and set out in your terms in a logical and obvious way?
b. Why do you need the information? Is it worth the risk of non-compliance with the GDPR in using the data for particular purposes? Is it possible to find ways to satisfy that purpose without using personal data?
c. Do the terms of consent draw the parameters sufficiently widely for your purposes? Does it cover marketing emails? Does it enable you to process the personal data after the service has ended? How are you going to deal with existing clients’ data going forward?
6th December 2017
This note comprises the view of the author as at 6th December 2017. This note is not a substitute for legal advice. Information may be incorrect or out of date, and may not constitute a definitive or complete statement of the law or the legal market in any area. This note is not intended to constitute advice in any specific situation. You should take legal advice in specific situations. All implied warranties and conditions are excluded, to the maximum extent permitted by law.