Guide to GDPR Compliant Client Data Storage for SMEs
The GDPR (General Data Protection Regulation) came into force in May 2018, as the new European framework.
In the nearly three years since UK businesses have adapted to GDPR and data protection compliance is now a core part of business trading.
As we embark on a new trading year, still in the throes of the Coronavirus pandemic and with Brexit now a done deal, what does that mean for the GDPR – and what do British businesses need to know about safeguarding their customers’ data?
This article will summarise how UK data protection laws will change post-Brexit and what you need to do to remain compliant with the relevant legislation.
Does GDPR Still Apply to British Businesses After Brexit?
The answer is – yes, and no!
If UK companies want to trade with the EU or sell their products or services to European customers, then yes, GDPR is still essential.
The regulation is extraterritorial, which means that GDPR has an impact outside of the EU jurisdiction. For example, any company that trades internationally will need to be GDPR compliant to avoid potentially disastrous fines.
On the other hand, smaller businesses that trade exclusively within Britain’s confines will still need to think about data protection.
Relevant UK laws include:
Primarily, not a lot will change, since the DPA already covers all of the EU GDPR legislation requirements to bring it into UK law.
There isn’t a great deal of difference between the EU and UK GDPR either.
The Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 set out amendments to the 2018 DPA, and merge it with European GDPR to create a data protection ruling that dictates how the UK manages data protection outside of Europe.
In a nutshell, if you have GDPR processes already in place, they remain relevant and crucial if any of your trading activities involve processing personal data.
What Do I Need to Do To Stay EU GDPR Compliant?
If you wish to continue selling your goods to European customers, you’ll need to revisit your GDPR systems to ensure you remain compliant. This applies to any transactions or activities from 1st January 2021.
The required steps include:
- Appointing a representative in the EU. They act as a local representative and a contact for the authorities.
- Identify the lead supervisory authority in the EU who will oversee your compliance.
- Revisit your contracts and documentation where data transfers are mentioned. It’s important to note that, as a country outside of the EU, the UK is a ‘third country’.
- Update your organisational policies and procedures to reflect these new points of contact, data controllers and systems.
While this might sound like a lot of work, it is vital to clarify whether you require ongoing European data protection safeguards.
The penalties for non-compliance can be exceptionally steep. As a third country business, if you trade with the EU or sell products to European customers and fail to meet GDPR requirements, you could be fined the greater of 4% of your annual turnover, or €20 million.
If you have any concerns about GDPR, whether you need to change any of your practises, or what it means for your business, do get in touch with The Law Firm Group.
Our business law teams will be more than happy to have a confidential discussion and recommend the best courses of action.
Can I Still Keep a Paper Filing System and be DPA Compliant?
A challenge for many smaller businesses is that, where filing systems are managed manually with paper-based records, they need to establish whether that client data storage falls under the scope of data protection.
The classification of a ‘relevant filing system’ is important, since it determines what regulatory procedures and compliance guidelines apply.
Under the DPA 2018, a relevant filing system is defined as:
- Sets of information not held electronically.
- Data that is structured in a way that is readily accessible and relatable to the individuals.
Therefore, it isn’t necessarily clear-cut. The best way to determine whether you are required to implement changes in adherence with the relevant data protection laws is to consult an experienced legal professional. We can consult with you, assess the systems you have in place, and make recommendations tailored to your business.
In general, the rule of thumb decided on in previous court cases, via the European Courts, Court of Appeal and Information Commissioner’s Office have made case-by-case decisions, based on the ‘temp test’.
This test uses the scenario of a temporary worker. Suppose such a temp could find information about an individual customer from a paper filing system without having any prior knowledge about the documentation or the storage mechanism, then yes. In that case, data protection applies, and the records are a relevant filing system.
Should they need instructions about terminology or how client records are kept from a more senior member of staff, then the personal data is not readily accessible, or structured so that a person without prior knowledge would be able to access it.
What Do I Need to Do To Comply With the Data Protection Regulation 2018?
If you have been through a GDPR compliance exercise, risk assessed the business activities and analysed how you access, process, store and disseminate customer data; you are probably already compliant.
However, it is never a bad thing to revisit your data protection processes. The UK’s departure from the EU and the knock-on impact on the relevant legislation is as good a time as any to ensure you have the right processes in place.
You can revisit the DPA 2018 guidelines and GDPR rules via the guide published by the Information Commissioner’s Office (ICO).
The Data Protection Act covers seven core areas:
- Accuracy of data you store or record.
- Limitations on how much data is stored.
- Identifying limited purposes for which data may be kept.
- Security of records and client data.
- Accountability for your systems and the safety of data.
- Minimising the data that is crucial to collect.
- The legality, parity and transparency applied to data processing.
In short, you can only collect and store data that is crucial to delivering the service to your customer. Businesses must only keep data for a defined purpose and must allow their clients access to the information held about them, including the opportunity to delete all such records.
For any help with assessing the robustness of your data protection strategies, or identifying whether amendments are required to remain compliant with EU laws past Brexit, do get in touch with The Law Firm Group!