Due to ever increasing and recent high profile breaches of data use, the EU has brought in strict new data rules that come into effect on 25th May known as the European Union’s General Data Protection Regulation (GDPR). This basically deals with how you collect, store and use data for your business- be it a huge corporation, or a small livery yard. If you hold data of your client’s or employees- however minimal, and especially if you use these for marketing purposes in any way… this applies to you!
Up until now, there are very minimal rules for storage and accessibility of personal data such as email addresses, contact numbers, addresses, dates of birth and other personal data. With the increasing risk of fraudulant activity, unsolicited messaging and breaches of data, people want to ensure they know who has their data and what they are doing with it. As a business owner, it is your responsibility to ensure you meet the new rules that come in this month.
You may think this does not apply to you and is aimed at larger corporate business who hold huge databases and personal information- but it’s not! One of the main ways it may affect equestrian businesses is if you store peoples data or personal details electronically or as a hard copy- such as a client list, contracts or mailing lists- you need to ensure you meet the recommendations for keeping these safe and secure, and limit the way peoples data can identify an individual. Most importantly you need to have peoples permission to keep any of their data (even if it’s just an email address), you must let them know how it will be used and let them know how they can request to view or remove this data from your database at any time.
The EU has substantially expanded the definition of personal data under the GDPR rules. To reflect the types of data companies now collect about people, online identifiers such as IP addresses now qualify as personal data. Other data, like economic, cultural or mental health information, are also considered personally identifiable information. Pseudonymised personal data- such as usernames- may also be subject to GDPR rules, depending on how easy or hard it is to identify whose data it is. Anything that counted as personal data under the Data Protection Act also still qualifies as personal data under the GDPR- anything that can identify a person, their home, their contact details, their bank details, their family, medical records and suchlike.
Another important factor to consider is if you use CCTV at your place of business for security or workplace monitoring. Personal data refers to anything that can identify an individual, not just written information. This includes CCTV and employee monitoring, which will typically be considered high-risk activities. Employers are entitled to monitor employee activity, and many businesses use CCTV for security purposes, especially if premises are left unattended or run a high-risk business but they need a lawful basis to do it and they need to communicate the monitoring to employees and anyone who may be recorded at the premises. It is recommended that companies carry out a data protection impact assessment (DPIA) to assess the extent to which monitoring is required, where it is required and at what times and retain a record of this assessment, and to keep these as an accessible record at the place of business.
For hard copies- whether transferred to an electronic database or not- the same rules apply. Any forms or documents containing personal data must be stored securely with limited access. Documents such as livery contracts, horse passports, copies of insurance for clients or visiting service providers- which may have a clients contact details or address- must be secured away from public access. It may be worth updating livery contracts with a section on data policy reducing the need for a separate consent form for future clients. However, given the nature of the business, it may be worth considering the documentation kept on the yard if, for example, someone on the yard needs to quickly get hold of an owner in the event of an emergency- who will be able to access these details and will the restricted access affect the outcome of such a situation? This is a good time to carry out a review of your clients details to make sure you have up to date contact information, and to renew and update your contracts and personal details form as well as an opportunity to get rid of old paperwork and anything that is no longer relevant or you are not able to get consent to store on your files.
The new rules also apply to those businesses that promote via mailshots, either using their own web server or via programmes such as MailChimp, and marketing via the telephone using calls or texts. If you don’t have peoples permission to store or use their data sending them unsolicited marketing by phone or email is one way to highlight that! From 25th May you need to have peoples permission to store their details in order for you to use them in any way- including sending marketing and communications to them. In effect, if you send any communications to anyone after this date, whose permission you don’t have you are breaking the law and they are well within their rights to report you for breaching the use of their data.
- Carry out a data protection impact assessment (DPIA)
- Send out consent forms to existing client base and mailing lists to use and store their data.
- As of 25th May 2018 remove all content from your databases- electronic and hard copy- other than those who have given permission for their data to be used.
- Consolidate all your client data into one secure database or storage facility.
- Limit those who can access the data to only those form whom it is absolutely necessary.
- Undertake staff training on new laws and processes for your business.
- Assign strong, unique passwords and enforce periodic password rotation.
- CCTV recordings must be stored securely and encrypted wherever possible.
- Add a clear and simple data policy to your website which can be easily found.
- Do not allow access to, sell or share the database with any third parties.
- Have the facility to send copies of your data held about them to the individuals at their request.
- Have the facility to remove data at the request of individuals.
- Delete data once the purpose of it is fulfilled.
There are various ways to get consent but it must be an active, affirmative action by the person, rather than the passive acceptance such as pre-ticked boxes or opt-outs. You need the person in question to submit their details and actively check or uncheck a box to confirm their consent. You could do this by a sign-up page on your website, by email, by post… as long as you receive the consent. You must also keep a record of how and when an individual gave consent, and advise the individual that they may withdraw their consent at any time and have their details completely erased from your records. It is ideal to refer them to the terms of your data use, or a data policy outlining how, where and when you will use their data. If your current model for obtaining consent doesn’t meet these new rules, you’ll have to bring it up to scratch or stop collecting data under that model from when the new legislatiom comes in on 25th May 2018.
Failure to comply with these rules- such as sending unsolicited mail, or reported breaches of data, will result in hefty fines for those involves- up to 4% of annual turnover (£400 per £10,000 turnover). Even though the UK is due to leave Europe in the next 12 months, it will still apply to all businesses handling EU residents’ data, effectively replacing the Data Protection Act 1998. A Data Protection Bill, put forward by the UK government in August 2017, essentially replicates the requirements of GDPR into UK legislation, meaning those compliant with GDPR should be compliant with the new UK data protection law.
This can be a big upheaval for businesses who rely on web marketing using data they have collected over many years – it can potentially mean a loss of your databases and shrinking your marketing reach. However, by taking the steps to meet the new GDPR rules and advising your clients and potential clients of how, where and why you will use their data, they will have more respect for your company, be more aware of how you will use their data and, as long as you make it clear how it will be used, that is relevant and you are meeting the new rules, may even be good for business in the long run. It may be a good opportunity to dust off your database (some of which may be many years out of date) and start afresh with a database of current clients and, for marketing purposes, a list of people who genuinely want to hear about your business, and what you have to offer.
The changes in the law and the introduction of the GDPR are overseen by the ICO (Information Commissioners Office) who offer a specific toolkit and support for Small Businesses. If your business handles personal data, you may need to register as a data controller with the Information Commissioner’s Office. Registration is a statutory requirement and every organisation that processes personal information must register with the ICO unless they are exempt. If you use CCTV at your business you must register, other businesses can use the Self-Assessment Tool on the ICO Website to see if they need to obtain registration. Registration is quick and easy and only costs £35 a year. Failure to register is a criminal offence.