The ultimate GDPR guide for protecting your small businesses
The GDPR is an extensive piece of legislation requiring organisations that store or otherwise process data of EU citizens or residents to abide by certain data protection rules and principles. Since the regulation came into force, companies must take the privacy of their customers' data extremely seriously, or face a costly fine.
The GDPR is applicable to any organisation, no matter its size and the GDPR applies to non-European businesses in some cases. Anything that contains personal data, even something as small as an email address, counts as personal data for which the GDPR applies. The process of becoming GDPR compliant might feel overwhelming for small businesses, but it doesn't have to fill you with terror! Just follow these 7 steps, and you'll be able to secure yourself, your business and its sensitive information.
This article is the first instalment in our Transformer Series, designed to enable you to become your very own cyber security and GDPR compliance transformer. From articles to workshops and everything in between, we will guide you through all the things you need to do to become GDPR compliant and cyber secure so you can rest easy knowing your business is GDPR compliant. And we'll even have a little fun in the meantime. Let's get started!
1 – Know your legal basis
You may have heard that you always need consent in order to process data, but consent is not the only legal basis your business can rely on. In fact, any one of six legal bases can be used and it's up to you to decide which legal basis applies to your specific situation and processing activity. For most (small) businesses, your lawful basis for processing personal data under the GDPR will be either consent, performance of a contract or legitimate interest. For the other lawful bases under GDPR, check out this explanation by the UK's ICO: Lawful bases for processing.
If you rely on consent, there are a few requirements that you need to follow with regards to obtaining consent from your data subjects.You will have to ask for permission in advance of the processing activity and the data subjects need to opt-in, rather than opt-out. You have to make clear that data subjects know what they're consenting to and they need to be able to easily withdraw their consent. Check out this website for more information on consent: General Data Protection Regulation and watch out for our article on The 7 elements of consent management coming on the 10th of March.
2 – Keep a processing registry
Keeping track of your processing activities is an essential part of GDPR compliance for small businesses and large enterprises at that. It helps your business comply with one of the data processing principles which has to do with accountability: Demonstrating your compliance to customers, your supply chain and the data protection authority.
Businesses should maintain a so-called processing registry that details what personal data is processed, how, why, for how long it is kept and what security measures are in place. The lawful basis for processing personal data from the first GDPR top-tip should also be recorded in your processing registry, for each piece of personal data your business processes. In order to fill out a processing registry, you will need to sit down (or stand up, a healthy work-habit that we can get on board with!) with your colleagues to identify how your company deals with personal data. It's a good idea to appoint one member of staff that is responsible for GDPR compliance, so you can keep an eye on your progress as well as have a clear point of contact for external questions.
3 – Write GDPR policies
4 – Website consent management: Did somebody say cookies?
What is a cookie banner?
In the same way that there are different types of cookies (chocolate-chip, macadamia, oatmeal-raisin), there are also different types of, well, cookies. Some enable your business to have access to your website visitors' personal information, some don't. For each non-anonymised cookie that your website uses, your business processes personal data. For those cookies, you will need to obtain consent from your website visitors and you can do that through a cookie banner.
A great way of obtaining your website visitor's consent is through a consent management platform that lets you personalise your cookie banner and the user's experience, keep track of consent and lets visitors very easily withdraw that consent. Keep an eye out for our upcoming article The 7 elements of consent management, where you can read all about consent management platforms, coming on the 10th of March, or have a look at this ICO cookie guidance in the meantime.
5 – Keep personal data safe
Keeping data safe is a great way to comply with the GDPR, but how do you go about it? We will take a crash-course in privacy by design and get wise to the power of risk assessments.
What is privacy by design?
Privacy by design is a GDPR principle that states that you must incorporate (or 'bake in', to keep to our cookie analogy) privacy into your processing activities and business practices. This simply means that you have to take privacy into account in everything you do, whether it's something technical like building a website or an app, or something we all do on a regular basis, like emailing. How can you incorporate privacy by design into your business? By, for instance, deciding not to send a document containing personal information via email, but instead using a secure sharing platform. Or by enabling encryption (basically a lock to which only you have the key) on your laptops or your app. You will have to identify each area of your processing activities and business practises that might carry a risk for your data subjects and choose an appropriate measure to mitigate that risk. This is where a risk assessment comes into play.
What is a risk assessment and what's in it for you?
A risk assessment is, as the name suggests, an assessment of what the potential risk might be for each processing activity and business practice that involves personal data from your data subjects. In this risk assessment, you will make an informed decision on how big the risk to your business and the data subjects is, and choose measures to mitigate those risks. Not only is carrying out a risk assessment a GDPR requirement, it will help you implement privacy by design and general cybersecurity into your business. Win-win.
If you want to read more about privacy by design, check out this article: Data Protection by Design and Default
6 – Incident Response
As a small business, you're legally required to have a good incident response plan, as if you didn't have enough to do already! But not to worry, we will tell you what to do in just one or two short paragraphs. When it comes to incident management in a small business, it is good to make a distinction between an incident and a data breach.
An incident is an event that impacts your communications or information processing systems, but not necessarily impacts personal data. A data breach is an incident that impacts the confidentiality, integrity or availability of personal data. The GDPR is only concerned with data breaches. In order to be GDPR compliant as a small business when it comes to data breaches, you need to follow a few simple steps:
- Keep detailed records of all events leading up to a data breach, the way it was discovered, what measures have been taken to resolve the data breach, whether or not the data breach has impacted data subjects and the measures taken to prevent it from happening again in the future.
- Even if you don�t have all the details of the data breach yet, you must notify the data protection authorities of the data breach within 72 hours of becoming aware of it;
- If the data breach is likely to result in a high risk of adversely affecting individuals' rights and freedoms, you must inform the data subjects themselves without undue delay.
7 – Help data subjects exercise their rights
The other rights data subjects have are the right to information, access, rectification, erasure, restriction and objection. All of the data subjects rights can be exercised through a request in writing or even verbally, for instance on the phone. It is your responsibility as a business to help data subjects exercise their rights as easily as possible and this small guide will make it easy for you to do so.
What is a subject access request, or SAR?
A subject access request is a request from an individual to receive a copy of their personal data and additional information they may request regarding your processing of their personal data. Subject access has to be granted and your business must reply to these requests without undue delay, in any case within one month. Make sure you share the personal information with them in an appropriately secured manner, for instance through a secure sharing platform.
The other data rights we mentioned, namely rectification, erasure, restriction and objection must be handled in the same manner as a subject access request. Make sure your business has a plan in place to deal with data subject requests regarding their rights and that all employees know what to do when they receive one. It's a good idea to appoint one member of staff to be the lead when it comes to data requests to keep an overview and make sure your business replies in the set time frame. Helping your data subjects access their rights will not only help you abide by GDPR and protect your data subjects, but protect your reputation as well. Read more about dealing with individual's rights regarding their personal data here: Individual rights.
And there you have it. 7 steps to GDPR compliance for small businesses.
Whether you're a lawyer, an accountant, a marketeer, a consultant or even a farmer, the GDPR requirements stay the same. We will be there for you in the form of this guide for all of your GDPR questions. Sign up to our newsletter if you want us to send the next instalments of our Transformer series straight to your mailbox and look out on social media for next week's article, where we zoom in on consent management with our collaborative author Usercentrics.
For now, have a great week and maybe a cookie (or two).