Does GDPR apply to Small business (SMEs)? Will SMEs get fined? Are you scared about a €20 Million fine for your company? There is a solution to this.
This year GDPR is coming that is binding to all companies and organizations handling data of all individuals within the EU. From now on, your company can be held liable for the data it collects and uses. Fines up to €20 Million or 4% of annual turnover can be imposed. This company was fined $250 Million, even before the GDPR was in place. But this can be totally avoided!
Are you ready for GDPR? If yes, read more to see if you have everything in place.
Not ready yet? Follow the steps below to be GDPR ready!
Step 1: Be aware of what GDPR is and what it means for your company (even if you’re an SME)
GDPR is a regulation of the Parliament and of the Council which comes into force on May 25th. As a regulation it affects companies and their customers as much as a national law. Decision makers and key people in the organization must now identify what processes of the company are not GDPR compliant and should analyze the kind of resources that will be required to tackle this in time for the GDPR implementation. UK’s ICO provides in-depth information of what the GDPR is and all that you must know regarding it. If you are a small business owner (SMEs) than GDPR affects you as well.
Our GDPR-glossary would help you to understand the various terminologies that is relevant. You must also know where your company stands in relation to the GDPR compliance. You can take this gap assessment to find out!
Step 2: Document all personal data your company holds
GDPR requires you to maintain records of processing activities. GDPR does not take SME owners out. You have to do this.
Your organization must document all the data that it holds, where it came from and how it uses that data if it somehow refers to an identifiable person. Furthermore, your organization must be able to submit up-to-date reports, so called records of processing activities (RPA), to the competent data protection authority at all times.
The development of the records of processing activities is also a key step because it enables the company to evaluate the whole process and understand where corrective measures have to be taken. Without such a record, no compliance to any further requirement of GDPR can ever be achieved!
Need help with organizing your data for GDPR compliance?)
If you need help figuring out how you can record processing activities, this tool will help you organize your data.
Step 3: Inform everyone concerned through a privacy notice
The individuals whose data your company uses must be informed through a privacy notice detailing in simple terms what kind of data you obtain, in what ways you obtain it, for which purposes you need it and, in case, if you are transferring the data to countries outside the EEG.
Do you need a privacy notice? With this tool you can create a first draft that meets the legal requirements.
Step 4: Checking if your data processing adheres to the individual rights
Now that you have sorted your data, you have to legally review all procedures concerning personal data. Are they compliant to GDPR or not? The answer is complex and usually work of a lawyer. Generally, you must keep in mind that processing activities concerning personal related data might affect the rights of the individuals. Those processing activities therefore always have to be justified.
Step 5: Consent for SMEs and its customers
The normal way to justify proceedings is also the most important pillar of data protection: consent! Your company should review how you seek, record, and manage consent.It is important that the consents meet the new GDPR standard, so your company must perhaps review and refresh all consents. SMEs owners have to also do this and all the time.
For example, it is necessary to keep the grammar and content of the consent easy and in an understandable format which can be understood by anyone. UK’s ICO provides a consent guidance guide that is a useful tool in defining consents as per the GDPR.
Step 6: Requests for subject access regardless if you’re an SME
Your company should update the procedures and must plan how you will handle subject access requests to take account of the new rules. In most cases, you will not be able to charge for complying with a request.
You will have a month to comply, rather than the current 30 days.
You can refuse or charge for requests that are excessive, but you will need to provide the requests with a machine-readable format of their data. If you refuse a request, you must tell the individual why and that they have the right to complain to the supervisory authority and to a judicial remedy. You must do this without undue delay and at the latest, within one month.
Step 7: Outsourcing of data processing
When your company works with a data processor, it should review the outsourcing contracts of data processing to comply with the GDPR. First, make sure you own those contracts, which is not always the case with free cloud services. At the latest on request of the competent data protection authority, you must be able to present the contracts. After all, these contracts must also be compliant with the GDPR and there is a high probability that they have to be adjusted.
Step 8: Data Protection Officer (DPO)
Probably your company has to appoint a DPO to take responsibility for the regulatory compliance.
This DPO will report to the highest position in the firm and has to make sure the company will take the needed measures to have its processes and information flow according to the GDPR. Some special aspects regard to the mandatory need of a DPO apply, however, it is a good idea to have a specialized role within the organization.
Another option is a virtual DPO, that can help your company be GDPR compliant. The best part is that it costs much lesser and reduces company man-hours involved by 75%!
GDPR for SMEs might not directly have a DPO requirement but if SMEs process special category of data such as health data. It would good to hire a DPO externally or part-time internally.
Step 9: Data Protection Impact Assessment and Protection by Default and Design
Your company has to evaluate deeply the type of processing activities it will require for each data it collects to analyze the risks it may cause to the data subject. Every software used, activity performed and measure taken must have protection by design. It ensures that there will be no breaches and no vulnerability regarding the security of this data and no harm to the rights of the data subject.
If the processing activities or the data is susceptible to high risks, an impact assessment must be performed to evaluate the right measures to be taken to minimize this risks. Important aspects to grant this security are pseudonymization, minimization of the data, ensuring the erasure of data according to the consent deadlines, and granting access to the data subject.
Step 10: Data breaches and notifications
Your company must adopt internal procedures and require the same to third-party partners, in order to deal with data breaches.
Those procedures should include identification of the actual data breach, investigation of the circumstances of the breach, and assessment of the implications it may cause both to the company and to the data subject regarding his privacy.
One thing to remember is that the information should be notified to the Supervisory Authority in no more than 72 hours when the data subjects are exposed to some kind of risk, and in those cases, the data subject also have to be notified.
Links and Further Information
Data Protection Authorities in EU countries
This list provides the websites of the Data Protection Authorities in your country. You can find more specific content for your region from the corresponding website.
Get help preparing for the GDPR
If you want to find out more about preparing for the GDPR, you should take a look at our GDPR webinar series. Each presentation covers a different aspect of the Regulation, such as data flow mapping, risk assessments, and data protection by design.