GDPR: Do you need help understanding what it means to you?
Over the past few months, we've seen our inboxes full to overflowing with emails from companies checking we still want to receive communications from them. These businesses are getting themselves compliant with the new GDPR legislation by asking customers to opt into marketing communications and view updated privacy policies, among other things.
You probably know GDPR is something to be aware of. However, like many of us running small or micro businesses, it's hard to know where to start. You need to be clear with what you have to do before the 25th May deadline, and what happens beyond that.
In this article, we will outline the steps you need to follow right now. Also, we will soon be releasing a brand-new GDPR document bundle. This will provide you with everything we think you need to have in place to confidently approach data protection as a self-employed paid carer.
What is GDPR and what does it mean for paid carers?
The GDPR comes into effect on 25th May 2018. While we still don’t know exactly what the final legislation will look like, we do know it will bring higher standards for handling personal data. It will include greater expectations for improved transparency, enhanced data security and increased accountability for processing personal data.
All businesses, whether one-man bands or large organisations, will have to comply with the GDPR. If you've already adopted good practice measures under the current Data Protection Act, you'll be in a strong position to comply with the GDPR provisions.
YtB will help you to look at the implications of processing personal data for your clients/service users.
The definition of personal data is ‘any information relating to a living individual who can be identified from that information’. This would include, for example, the name of the service user. It can even include indirect identification, ie information that could identify them such as their medication or details of a disability.
The new legislation is different, as it also extends the current meaning to include things like identification numbers and location data. It also includes other online information, for example, cookies and IP addresses. Pseudonymised information isn't personal data unless you also have information to allow the person to be identified.
Sensitive personal data
In addition to the existing categories, special or sensitive categories of personal data that are important to carers, include physical or mental health conditions and medical data, as well as things like genetic and biometric data.
The presumption is that, because information about these matters could be used in a discriminatory way, and is likely to be of a private nature, it needs to be treated with greater care than other personal data.
In practical terms, this means that as well as being comfortable you satisfy the conditions for processing data (which we detail below), you also need to consider what level of security is appropriate.
You must ensure any personal data you process is done in accordance with the data protection principles. It should be:
- Processed lawfully, fairly and in a transparent manner in relation to individuals.
- Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. Further processing for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes shall not be considered to be incompatible with the initial purposes.
- Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
- Accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure personal data records that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
- Kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed. Personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals.
- Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Are you a Data Controller or a Data Processor?
As a self-employed paid carer, you're considered to be a 'Data Controller'. This is the person who decides what data is needed and why, as well as how the personal data should be processed. As a Data Controller, you must ensure any personal data you process complies with the principles outlined above.
A 'Data Processor' means any person (other than an employee of the Data Controller) who processes the data on behalf of the Data Controller.
If you're unsure, you can always do a quick-check self assessment here
What do I need to do next?
As a self-employed paid carer, much of the GDPR will apply to you and elements of the work you carry out for your clients/service users, it sounds scary, but there are some fairly straightforward and practical steps you can take to prepare for compliance:
Register with ICO as a Data Controller. You can do this here. As a micro business it will cost you £35.00 a yea.
Review the data you keep, what, why, where and when it's deleted or updated.
Review any existing documents on data protection you have.
Put relevant/missing processes and documents into place and explain how you will deal with a data breach.
Review the consent mechanisms needed from your client/service user.
Ensure that if you have a team, they are aware of their obligations under the Act.
Help from YtB
YtB has put together a document bundle available to purchase for £25 to help you every step of the way. The bundle consists of:
- Data Audit Tool
- Data Protection Policy
- Privacy Impact Assessment Guide
- Data Breach Process
- Client Consent Form