The GDPR (General Data Protection Regulations) have now come into force, and they represent some of the largest changes ever to data protection. But as a sole trader, are the regulations important to you, or do they only affect big businesses? In this article, we’re going to consider the key points that you should know.
The first thing to be aware of is that yes – GDPR does affect you as a sole trader. It affects all businesses and organisations of any kind that are collecting information about EU citizens. As a result, it’s important that you have a good overview of what GDPR is and how it changes your business operations. At its core, GDPR is simply about giving EU citizens more control over their own data. It’s designed to help people understand what information an organisation holds, determine how they use it, and change it if necessary.
The biggest change that GDPR implements is that you now must have legal grounds in order to collect, store and process someone’s data. So if you’ve got a website, as most sole traders do these days, you can’t simply collect information about visitors and customers without having a good reason to do so. One of the larger misconceptions about GDPR is that you have to have consent for everything. While it’s true that consent is one of the main ways in which people will look to acquire legal grounds, and it’s also the easiest one to demonstrate, it’s not essential in every case. There are actually around six different grounds that you could use to justify the collection of data. As a sole trader, the likelihood is that you’ll be relying on a mixture of contract, legitimate interests and consent.
Legitimate interest is fairly vague, but generally refers to you having a genuine reason for collecting data that doesn’t encroach excessively on an individual’s privacy. B2B will rely on this basis extensively – in theory sending out sales or marketing emails to another business would come under this.
Contract is fairly straightforward, and means that you have to collect certain data in order to carry out your contract with a customer. For example, if you run a mobile car washing service, you cannot serve a customer without collecting their address, and if they book online you’d require their email. However, you’d have no reason to continue to store that data and then send out unsolicited marketing emails at a later date.
This leads us onto consent. If you want to collect or use someone’s data for something that doesn’t come under the other lawful bases, then you’d need to get proof of consent from them. This is why most websites now make you check a box for marketing purposes when you give out your email address.
There are a couple of other things that GDPR does that you should be aware of too. The first is that you need to report any data breaches to the Information Commissioner’s Office within 72 hours with as much detail as possible. So if hackers manage to get hold of customer data, you need to report it to the authorities. The other big thing to be aware of is that individuals will now have the right to request that you send them details of all the information you hold about them. You have to do this in a timely fashion, and you cannot refuse.
As previously mentioned, GDPR does have very broad reaching effects, but there are perhaps some areas that won’t apply to sole traders. The most notable of these is that as an individual you won’t need to hire or assign a data protection officer, because naturally you are the only person responsible. Smaller businesses too generally don’t need a dedicated data protection officer even though it is advised under GDPR.
If you’re still unsure about GDPR and what it means for you, then you may find our free introductory guide useful. Alternatively, Virtual College is pleased to be able to offer a comprehensive course on the topic, which can be found here.