We get asked a lot about how to become compliant with GDPR so when we spoke to the ICO, this is what they said.
On 25th May 2018 the EU changed the data protection laws which will be called GDPR (General Data Protection Regulations). It is the responsibility of individuals to ensure they are GDPR complaint and it goes beyond how data is collected by a website.
If you have a basic enquiry form on your website that contains the following fields (for example):
- Name
- Tel
- Message [ free text area]
... you need to update your privacy policy to inform your customers how their data is protected and what you do with it, if they choose to fill in your enquiry form. No changes to your enquiry form are required, because the GDPR goes way beyond just an enquiry form on a website. Here are the first 2 simple steps you need to follow to become GDPR compliant for small businesses in UK.
GDPR Compliance for Small Businesses. Step 1
You would first need to work out 'how' you process data from a potential customer when you receive it. How you receive that data can vary and could be via telephone calls, a website enquiry form (see above) or written survey, etc. What you do with that data and further information you obtain from that customer (once they are a customer) is also part of the GDPR and is vital to the compliance. Every company is different in the way it handles customer data. The ICO requests that you MUST obtain a lawful basis to process data before you process any data. So you must choose which 'lawful basis for processing data' pertains to you and your business. There are 8 categories of lawful basis for processing data from which to choose that are supplied by the ICO as follows:
- Consent - see lawful basis for processing consent - ICO
- Contract - see lawful basis for processing contract - ICO
- Legal obligation - see lawful basis for processing legal obligation - ICO
- Vital interests - see lawful basis for processing vital interests - ICO
- Public task - see lawful basis for processing public task - ICO
- Legitimate interests - see lawful basis for processing legitimate interests - ICO
- Special category data (i.e. medical) - see lawful basis for processing special category data - ICO
- Criminal offence data - see lawful basis for processing criminal offence data - ICO
If you are unsure about which category you need to study, read them all and if you're still unsure call the ICO during office hours on 0303 123 1113. If, for instance, you are a therapist you should read the lawful basis for processing special category data.
GDPR Compliance for Small Businesses. Step 2
You also need to ensure you have clear written policies on how you look after your customers data in line with their right to be informed. Again you must contact the ICO to ensure your business is compliant with GDPR - it's your sole responsibility.
The GDPR provides the following rights for individuals:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling
All these then need to be added to your privacy policy, but please ensure you speak to the ICO beforehand to ensure you are compliant.
The ICO website explains these rights for you. See GDPR Individual rights explained by the ICO
See also How to prepare for GDPR and GDPR data protection laws
Privacy Policy Template
Make your own privacy notice
Need to know what to write in a privacy policy on a website? If you need some help to write a privacy notice for a business or company website, then you can use the privacy policy template provided by the ICO. More information and the policy templates you can use are on the ICO website here: Make your own privacy notice