One year into the GDPR’s enforcement, small and large businesses alike are still underprepared.
As a result, we’ve decided to write a guide particularly for small businesses like yours. It touches on these common mistakes while providing a compliance roadmap that gives you a clear path forward.
Does the GDPR Apply to My Business?
The GDPR applies to you if your business is based in the EU or processes the personal data of EU residents and the following applies:
- You collect, store or process personal data in any format. For example:
- Website cookies
- Payment information
- Delivery details
- Employee personal data
- Collection, storage and processing of personal data on behalf of another company
Your Compliance Roadmap
1. Make a team
You might be a small business, but chances are you didn’t build your business, policies, and IT infrastructure yourself.
Make your team representative of the parts of your business that might handle, secure, or govern personal data.
Your team is going to be responsible for all the following parts, like mapping your data flows, reviewing policies and legal contracts, and fixing those gaps.
We’d recommend your team comprise of your CEO and your main legal, IT, and HR people (if you have them).
2. Map data flows
‘Data mapping’ has become a buzzword across the industry, particularly in the realm of GDPR compliance. Because it’s so important to the rest of your compliance process (not to mention it’s hard and tedious!), loads of businesses advertise their ability to do the data mapping for you.
But the prospect is often too good to be true, unless you’re willing to pay more than small businesses usually have. The reason is because data is so often stored all over the place:
At the end of the day, you’re probably going to have to do this yourself.
So how do you do data mapping?
Start with your team: ask them what types of personal data they or their staff handle. From there, start building a list that answers these questions:
- What type of data is it? (for example, CCTV footage, email addresses, IP address)
- How sensitive is it? (Note: race or ethnicity, biometric or health data, and sexual or political orientation are particularly sensitive under the GDPR)
- Why do you have it? What are your reasons for processing the data?
- What legal basis for processing are you using? (Consent, contract, legitimate interests, legal obligation, vital interests, public task)
- Where is it stored?
- How long are you going to keep it?
- How is it secured?
- Who has access to it?
- Do you transfer it out of the company?
- Do you transfer it out of the country?
Once you’ve answered these questions for each type of personal data you collect, store that information in a single document. Congratulations, you’ve not only completed a data mapping exercise but you’ve also made a record of processing activities (GDPR Article 30).
3. Review documentation
You should also make sure you have an internal data protection policy that describes your procedures around data handling, access, collection, storage, deletion, and disclosures to third parties.
Since the GDPR requires specific information to be disclosed to the authorities and affected parties in the event of a data breach, you should have templates and policies that describe the notification and breach response process.
If you transfer data to third parties, make sure you have a data processing agreement in place that ensures that your data processors abide by GDPR requirements like transparency, security, and privacy by design.
If you transfer data outside the EEA, make sure you have the appropriate contracts in place that bind businesses to meeting GDPR obligations. You can do this through standard contract clauses or binding corporate rules.
4. Fix Gaps
Once you’ve reviewed your policies and processes against GDPR requirements, it’s time to fix any mismatches or gaps in your compliance programme. Here are some common areas where organisations have trouble:
Subject Access Requests and Rights Compliance
The GDPR gives new rights to individuals, such as the right to access, transport, delete, and restrict their personal data. These all impose new technical and organisational obligations on organisations.
For example, giving people the right to data portability implies that you’ve stored the data in a structured format, like CSV or JSON (XML or PDF could work too, depending what the data is.)
Giving people the right to erasure also means that you have to coordinate with all data processors and make sure that they delete the information in question.
And complying with a data access request means that you have to have performed that data mapping activity and can access all the data you hold on the individual along with information on how it’s processed and stored.
There are a few caveats that make this response process a little more complicated.
First off, before you start dumping data on every customer that submits an access request, you need to verify their identity. In the cybersecurity field, we worry that this access request process will be an easy way for imposters to get sensitive information from unwitting businesses. Make sure you have an authentication process in place before you give transfer personal data.
The second complication is that the GDPR gives 30 days to comply with the request (unless the request is particularly complex or if you’re receiving an influx of requests). That means that generally, you’re going to have to do the following steps in a relatively short time span.
- review of the request’s legitimacy
- data gathering
- communication to the individual
That’s why you need policies and procedures at each step of the process, as well as a record of processing activities to know where data is and why you process it.
The GDPR has very specific items for organisations to include in their privacy notices:
- The identity of the data controller (you) and contact information
- A description of the types of data they collect and process
- Purposes and legal basis for processing
- Recipients or categories of recipients of the data
- Details regarding transfers outside the EEA
- Details regarding how long data will be stored
- A list of the rights afforded to data subjects, and actionable ways of exercising them
- The right to lodge a complaint with the supervisory authority
- Details regarding the logic and consequences of any automated decision-making
On top of this information, the GDPR advises organisations to make sure they write clearly (not in legalese), preferably in a layered fashion (e.g. dropdowns, clickable sections) and present this information to the data subject before you collect personal data from them.
5. Educate Staff
Finally, you need to train employees who handle personal data (or who make the policies for those people) in proper data handling and data hygiene.
You should also educate management, particularly your data protection officer or equivalent point person, in GDPR requirements.
Since the GDPR is unlike most other data protection laws, we recommend investing in educational content specific to the GDPR itself rather than general data protection and cybersecurity training.
Since different roles will interact with the GDPR in different ways, it’s ideal to get training tailored to those specific functions (such as IT, HR, C-suite/management).
1. The GDPR Exempts Small Businesses. False
You may have heard that the GDPR carves out some exceptions for small businesses. Keep in mind, though, that the exception only covers formal record-keeping requirements.
And at the end of the day, you’ll probably find that this is something you’ll want to fill out for your own data mapping and documentation purposes anyway.
In fact, the path to compliance looks very similar for small and large organisations alike.
2. Get Consent for Everything. False
The GDPR added a requirement that organisations need to have a “lawful basis for processing” personal data and raised the requirements on consent, one of the six bases you can use.
You’d think that people would use consent less, given the stricter requirements, but that doesn’t seem to be the case.
In fact, the GDPR wants people to use consent less because
- it’s a bad way to protect privacy because it preys on people’s irrationality in understanding the long-term impacts of data disclosure.
- constantly asking for explicit affirmation is a logistical burden on both user and business.
3. You Always Need a DPO. False
Appointing a Data Protection Officer (DPO) is a costly task, and the GDPR recognizes the burden by reserving the requirement to organisations that meets one of two conditions (see the graphic below).
Otherwise, you should have someone in charge of your privacy programme (a “privacy point person”) but that’s different from a DPO, which is a legally defined position with certain requirements and obligations under the GDPR.
Do you need a DPO?
4. GDPR fines are €20 million or 4% of global revenue. Partly True
This is the maximum fine that the Data Protection Authority (DPA) can impose. There are actually two tiers of fines based on what you did wrong.
Tier 1 is up to €10 million or 2% of global revenue for instances like failing to fulfill your obligations as a controller or processor (such as data protection impact assessments, data protection by design and default, etc.).
Tier 2 is indeed up to €20 million or 4% of global revenue for infractions like messing up your lawful bases of processing, failing to provide data subject rights, or transferring personal data outside the EEA without appropriate safeguards.
But with all this in mind, the DPA will rarely impose such large fines, particularly on small businesses. DPAs can give sanctions like reprimands, warnings, and processing restrictions, all of which don’t involve monetary fines.
All this information may feel overwhelming, but that’s why Sovy exists as a business – to simplify the compliance process for you and help you through each step.
The Sovy GDPR Privacy Essentials are a set of tools that help you through each step of the process outlined above.
Our guided self-assessment helps you walk through the GDPR’s requirements and build your record of processing activities.
Sovy uses that information to give you a detailed gap analysis that highlights the problems in your compliance programme and identifies actionable solutions.
You’ll also have access to in-depth guidance on tricky topics like setting up your subject access request procedures or figuring out whether you need a DPO.
Finally, Sovy provides a suite of educational training courses tailored to different business roles. All this, in a single easy-to-use platform at an affordable rate for a small business.