So how does the General Data Protection Regulation (GDPR) affect installers in the glazing industry? This article hopes to give you, as installers, a little more information to add to what you may have read elsewhere to date, to help you on your way to GDPR implementation.
Do Installers have to implement GDPR?
Yes, of course, it’s mandatory for all firms in the UK – another law that has come from the EU which we have to implement as we will still be members before Brexit.
What’s the fine if you don’t implement GDPR?
Quite a lot actually, it’s up to 4% of turnover. 4% as a percentage doesn’t sound a lot, but even if you are a “small” installer of £1 million pa turnover, a 4% fine would be a sizeable £40,000 chunk straight off your bottom line.
What exactly is the GDPR again?
The General Data Protection Regulation (GDPR) (EU) 2016/679 is a regulation in EU law on data protection and privacy for all individuals within the European Union. It also addresses the export of personal data outside the EU. The GDPR aims primarily to give control to citizens and residents over their personal data.
It was adopted on 14 April 2016, and after a two-year transition period became enforceable on 25th May 2018. It will replace the Data Protection Act of 1998 in the UK, which was implemented over 20 years ago, long before Google, Facebook, Apple and other technology companies collected and processed the personal data from millions of people.
Where do Installers get the information they need to implement GDPR?
The best place is from the ICO (Information Commissioner’s Office) website. The ICO is the UK's independent body set up to uphold information rights. The UK Information Commissioner is Elizabeth Denham.
If you do an internet search for “ICO GDPR”, you will be able to find the ICO’s webpage which gives you a full Guide to GDPR, and how to implement it. They have provided a “data protection self-assessment toolkit” for SME’s, with checklists to help you on your way.
But it’s very useful to note that on this guide page there's a useful “What’s new” link to the left which will take you to a page where the ICO highlights what’s new in their Guide to the GDPR. If you look at the history in “What’s new”, you’ll see that a lot of the guidance wasn’t published until January onwards, and even now is still being added to and improved. So, whilst there has been a two-year transition period for firms to implement GDPR, to a large extent it was only earlier this year that the ICO had published a lot of its guidance for firms.
Also, if you go into their “Getting ready for the GDPR” page you will see that they state that they have produced a package of tools and resources to help you get ready. These resources include:
- A guide to the GDPR
- A “Getting ready for the GDPR” self-help checklist
- A GDPR FAQs document, including FAQS particularly for small firms
- A “12 steps to take now” graphic
- A new advice service helpline for small firms
This new advice service line is aimed at people running small businesses, it’s only recently been launched but has been needed for some time. To access the new service, you dial the ICO helpline on 0303 123 1113 and select option 4 to be diverted to staff who can offer support. The webpage does, however, state they are experiencing a high number of calls.
ICO Twitter/Linkedin?
It’s useful if you follow the ICO on Twitter and LinkedIn, so you get their news feeds on the latest information. For example, in the last month, one useful news feed was that their new interactive lawful basis guidance tool offers indicative ratings for each lawful basis based on the answers you give to the questions the tool asks.
Anything else that might help?
No doubt the larger installation companies some of whom may have dedicated Data Protection Officers will be posting their updated Privacy Policies on their websites. These may be useful to read to compare to your own Privacy Policy if your processes are similar.
Installers should have fully implemented GDPR by 25th May 2018 or they could face a fine?
If you look at the ICO website, they publish monthly newsletters. You can read the full May 2018 newsletter here: http://ico.msgfocus.com/q/1AFL5SA15h/wv.
An extract from this newsletter by Elizabeth Denham states: "To small and micro businesses, clubs and associations who are not quite there, I say … don’t panic! As the new ICO Regulatory Action Policy, out for consultation very shortly, sets out, we pride ourselves on being a fair and proportionate regulator. That will continue under the GDPR. 25th May is not the end of anything, it is the beginning, and the important thing is to take concrete steps to implement your new responsibilities — to better protect customer data. My office has lots of resources to help you do that.”
So, from the above, it would appear that even if you have not as a business totally implemented GDPR already, you’ll be OK for a while if you can show you have taken concrete steps to implementing your new responsibilities and are progressing.
Have a question?
Call us on 0345 053 8975
Or send an email to [email protected]