The GDPR is an extensive piece of legislation requiring organisations that store or otherwise process data of EU citizens or residents to abide by certain data protection rules and principles. Since the regulation came into force, companies must take the privacy of their customers' data extremely seriously, or face a costly fine.
The GDPR is applicable to any organisation, no matter its size and the GDPR applies to non-European businesses in some cases. Anything that contains personal data, even something as small as an email address, counts as personal data for which the GDPR applies. The process of becoming GDPR compliant might feel overwhelming for small businesses, but it doesn't have to fill you with terror! Just follow these 7 steps, and you'll be able to secure yourself, your business and its sensitive information.
This article is the first instalment in our Transformer Series, designed to enable you to become your very own cyber security and GDPR compliance transformer. From articles to workshops and everything in between, we will guide you through all the things you need to do to become GDPR compliant and cyber secure so you can rest easy knowing your business is GDPR compliant. And we'll even have a little fun in the meantime. Let's get started!
You may have heard that you always need consent in order to process data, but consent is not the only legal basis your business can rely on. In fact, any one of six legal bases can be used and it's up to you to decide which legal basis applies to your specific situation and processing activity. For most (small) businesses, your lawful basis for processing personal data under the GDPR will be either consent, performance of a contract or legitimate interest. For the other lawful bases under GDPR, check out this explanation by the UK's ICO: Lawful bases for processing.
If you rely on consent, there are a few requirements that you need to follow with regards to obtaining consent from your data subjects.You will have to ask for permission in advance of the processing activity and the data subjects need to opt-in, rather than opt-out. You have to make clear that data subjects know what they're consenting to and they need to be able to easily withdraw their consent. Check out this website for more information on consent: General Data Protection Regulation and watch out for our article on The 7 elements of consent management coming on the 10th of March.
Keeping track of your processing activities is an essential part of GDPR compliance for small businesses and large enterprises at that. It helps your business comply with one of the data processing principles which has to do with accountability: Demonstrating your compliance to customers, your supply chain and the data protection authority.
Businesses should maintain a so-called processing registry that details what personal data is processed, how, why, for how long it is kept and what security measures are in place. The lawful basis for processing personal data from the first GDPR top-tip should also be recorded in your processing registry, for each piece of personal data your business processes. In order to fill out a processing registry, you will need to sit down (or stand up, a healthy work-habit that we can get on board with!) with your colleagues to identify how your company deals with personal data. It's a good idea to appoint one member of staff that is responsible for GDPR compliance, so you can keep an eye on your progress as well as have a clear point of contact for external questions.
Apart from your processing registry, there's a few other GDPR policies small businesses need to have. We will go through those in detail in our upcoming article on the 7 GDPR policies small businesses need to have, coming on the 14th of april. We will briefly discuss the most (in)famous GDPR policies, the privacy and cookie policy, below. (Of course, a cookie policy would be completely unnecessary if you don't have a website or use cookies on your website, so for the sake of this article, let's assume that you have a website that uses cookies to process visitors' personal data in some way.)
These policies, that you may keep as two separate policies or combine into one, have to do with transparency with regard to your personal data processing activities towards your (potential) customers and your supply chain. You can empower your data subjects through a clear privacy- and cookie policy that not only informs them, but also lets them know how they can fulfil their rights with regards to their data through a so-called Subject Access Request, or SAR (more on that below).
Your privacy- and cookie policy is designed to ensure that you abide by the law and that your data subjects know what you're doing with their data, why you're doing it, who has access to it, and that all of the above is communicated to them in a way that's easy to understand. Simply put these policies on your website and regularly update them to make sure you comply with the GDPR on this front.
We mentioned cookies earlier, when we talked about your privacy and cookie policy as two of the most (in)famous GDPR policies small businesses should have. Having a cookie policy is not enough to make your business compliant on the cookie-front. You also need to have a cookie banner in some way, shape or form.
In the same way that there are different types of cookies (chocolate-chip, macadamia, oatmeal-raisin), there are also different types of, well, cookies. Some enable your business to have access to your website visitors' personal information, some don't. For each non-anonymised cookie that your website uses, your business processes personal data. For those cookies, you will need to obtain consent from your website visitors and you can do that through a cookie banner.
A great way of obtaining your website visitor's consent is through a consent management platform that lets you personalise your cookie banner and the user's experience, keep track of consent and lets visitors very easily withdraw that consent. Keep an eye out for our upcoming article The 7 elements of consent management, where you can read all about consent management platforms, coming on the 10th of March, or have a look at this ICO cookie guidance in the meantime.
Keeping data safe is a great way to comply with the GDPR, but how do you go about it? We will take a crash-course in privacy by design and get wise to the power of risk assessments.
Privacy by design is a GDPR principle that states that you must incorporate (or 'bake in', to keep to our cookie analogy) privacy into your processing activities and business practices. This simply means that you have to take privacy into account in everything you do, whether it's something technical like building a website or an app, or something we all do on a regular basis, like emailing. How can you incorporate privacy by design into your business? By, for instance, deciding not to send a document containing personal information via email, but instead using a secure sharing platform. Or by enabling encryption (basically a lock to which only you have the key) on your laptops or your app. You will have to identify each area of your processing activities and business practises that might carry a risk for your data subjects and choose an appropriate measure to mitigate that risk. This is where a risk assessment comes into play.
A risk assessment is, as the name suggests, an assessment of what the potential risk might be for each processing activity and business practice that involves personal data from your data subjects. In this risk assessment, you will make an informed decision on how big the risk to your business and the data subjects is, and choose measures to mitigate those risks. Not only is carrying out a risk assessment a GDPR requirement, it will help you implement privacy by design and general cybersecurity into your business. Win-win.
If you want to read more about privacy by design, check out this article: Data Protection by Design and Default
As a small business, you're legally required to have a good incident response plan, as if you didn't have enough to do already! But not to worry, we will tell you what to do in just one or two short paragraphs. When it comes to incident management in a small business, it is good to make a distinction between an incident and a data breach.
An incident is an event that impacts your communications or information processing systems, but not necessarily impacts personal data. A data breach is an incident that impacts the confidentiality, integrity or availability of personal data. The GDPR is only concerned with data breaches. In order to be GDPR compliant as a small business when it comes to data breaches, you need to follow a few simple steps:
The other rights data subjects have are the right to information, access, rectification, erasure, restriction and objection. All of the data subjects rights can be exercised through a request in writing or even verbally, for instance on the phone. It is your responsibility as a business to help data subjects exercise their rights as easily as possible and this small guide will make it easy for you to do so.
Individuals have the right to be informed about the collection and use of their personal data. You must provide them with information about this processing activity at the time of collection, for instance through your privacy and cookie policy, like we discussed above. Individuals can exercise their right to access through something you may have heard of before, namely a subject access request, or SAR.
A subject access request is a request from an individual to receive a copy of their personal data and additional information they may request regarding your processing of their personal data. Subject access has to be granted and your business must reply to these requests without undue delay, in any case within one month. Make sure you share the personal information with them in an appropriately secured manner, for instance through a secure sharing platform.
The other data rights we mentioned, namely rectification, erasure, restriction and objection must be handled in the same manner as a subject access request. Make sure your business has a plan in place to deal with data subject requests regarding their rights and that all employees know what to do when they receive one. It's a good idea to appoint one member of staff to be the lead when it comes to data requests to keep an overview and make sure your business replies in the set time frame. Helping your data subjects access their rights will not only help you abide by GDPR and protect your data subjects, but protect your reputation as well. Read more about dealing with individual's rights regarding their personal data here: Individual rights.
Whether you're a lawyer, an accountant, a marketeer, a consultant or even a farmer, the GDPR requirements stay the same. We will be there for you in the form of this guide for all of your GDPR questions.
For now, have a great week and maybe a cookie (or two).
Book a 15-minute demo and discover how Naq can take the complexity out of your compliance.