While preparation for GDPR may be running at a good clip in businesses large enough to dedicate the time and resources to examining what they need to be doing to close the gap to compliance, many small and micro businesses are struggling with finding the room to fit in and perhaps to budget for anything outside of what they do day-to-day to run a great business and service their customers. The GDPR, however, is not just aimed at large businesses—any business that is established or processes the personal information of individuals in the EU falls into scope. With that in mind, it’s important for small and micro businesses to be putting their best foot forward and firming up what actions they can take to meet the requirements in the run up to the enforcement date of May 25th.

At its core, the GDPR is about providing transparency in how you collect personal information, ensuring you process it under a fair and lawful basis, provide suitable protections for it and enable an individuals’ rights while you are a custodian of their data.

Where to start?

If you’re a sole-trader or a small operation with a handful of staff the good news is that for many of you, a few well-targeted adjustments to how you do business can likely close the bigger gaps in compliance that come in scope of the GDPR and put yourself on the right course to fuller accountability. As with anything that requires effort and has reward, you’re going to need to dedicate time and thinking into developing your approach – if you’re a member of a small business group or know other small business owners that could benefit, perhaps organising a workshop (as I’ve seen happen here in the co-working community of Boxworks) to pool your shared knowledge & experience to tackle the challenges that you face in becoming compliant.

Somebody needs to take charge

This project needs an owner and in many small businesses, unless you’re hiring outside help, you won’t be looking too far to find your GDPR project lead. It could be you or one of your staff that may be more suited to the role. Whoever it is, it is important that they have the authority to approach the task from a non-biased perspective, they need to be able to ask the hard questions about how and why you are processing personal information, assess the protections you afford it and measure how well your business meets its obligations under GDPR. Whether it’s a small GDPR taskforce that you assign or a single individual - they need to have the power to instigate change.

Keeping Track

It’s important to have a systematic approach to planning and executing your GDPR compliance project. If you don’t already have a favourite project management software application that you use, and you think pen and paper may not be enough, something like a kanban approach using Trello could be just what you need to keep track of to-do’s, in-progress and completed items while working with a small team or even just for yourself.

 

I’ve put together a Trello Board that you can use as a guideline for your GDPR compliance project:

GDPR Small Business Compliance Tasks

Start with Awareness

Whatever the size of your business, it’s important that your staff are clear on the role that they play in helping your business achieve compliance. Assigning a person with the responsibility of ensuring staff training and implementation of the measures required to achieve compliance with the GDPR is key.

Accountability – Discover your Data

To meet your Article 30 obligations, you should create a record of your processing activities. It is an important exercise and likely the first time many small businesses will have sat down and considered all the data that they collect and manage in their business. A useful approach to beginning this exercise is to consider the various business processes that enable your operations. At what point is personal information given to you (e.g. a service application)?

  • Record the purpose you collect it for;
  • Assign risk levels to the data - (Low, Medium, High);
  • Note whether each data item is considered a sensitive category of data under the GDPR;
  • Record the legal basis for processing;
  • Identify any processors and sub-processors involved in processing what you collect and note the data that is transferred to them;
  • Assess if you can enable Data Subject rights against the information that you collect and process;

Transparency

Businesses need to be far more transparent with their customers than has typically been the case in the past about how they collect and process personal information. Gone are the days of burying your privacy info in pages of legalese. It needs to be easily accessible and easily understood. Relevant privacy information should be delivered in-context to the user at the point of data collection.

If you don’t have a Privacy Policy for your business, get one in place as soon as possible. This is where you will meet many of your transparency obligations that the GDPR requires. Give your customers clarity on the purposes you collect personal information, how you process it, the parties that you share it with and information about the protections and procedures that you have in place to meet your obligations. Do not do a copy and paste job or use a privacy policy generator that you don’t go through with a fine-tooth comb. Too often I’ve heard it said that “my website generates my privacy policy automatically for me”. Each privacy policy needs to be tailored to the business it relates to. It is not a tick-the-box exercise. You need to put real thinking into what goes into this document as it is one of the most visible items to your customers that demonstrates your commitment to their privacy. Anything that you do put in there, be sure that you can back it up with action. The ICO has a good reference guide on what you should be considering for your privacy notice as does Fort Privacy who clearly illustrate the information that you are required to display.

Data Subject Rights

Consider for the personal information that you hold, how you will deliver an individual’s rights under the GDPR. It is important to be aware that an individual’s rights are not absolute and, in some cases, can be overridden (e.g. by another lawful basis such as a legal obligation). Putting in place the procedures to handle access requests to information relating to your customer, the right to erasure etc. are things you should be considering how to facilitate. Don’t forget that your staff are individuals too!

Data Breach Procedure

Aside from procedures to handle individuals rights – you should be putting in place action plans to respond to a potential Data Breach. We all don’t think it will happen to us, but the stats don’t lie and key to successful management of such an event is being pro-active about planning for it and not re-actively chasing your tail trying to figure out how best to respond in crisis-mode. You have 72 hours from becoming aware of a breach to notify the Supervisory Authority and you have notification obligations to those involved also.

Lawful Basis for Processing

This will be a big one for many small businesses as it may not have been something actively considered before. For each purpose that you collect and process personal information, it should be under a valid lawful basis of processing. Your privacy policy information should be updated to reflect the various lawful bases that you process information under and in some cases, depending on your current accountability with the regulation, you may need to reach out to your customers, inform them of your processing activity and seek consent (if that is the basis you will be processing under) to process their information.

Consent

If consent is a legal basis that you process personal information under, you will need to assess if you hold valid consent under GDPR. To be valid consent must be:

  • Freely given;
  • Specific to the purposes it was collected for;
  • Informed;
  • Active opt-in consent;
  • As easy to withdraw as it was given;

As I've noted previously, I see consent as problematic for many small businesses if they are unable to demonstrate that they attained valid consent. If this is the basis that you are processing personal information on (including for such processing as sending newsletters and promotional offers), you should consider if you hold valid consent from your customers. If not, you may need to run a re-permission campaign to do so before May 25th, the GDPR enforcement date.

GDPR & Children

If you are processing the personal information of minors, you should have procedures in place to verify the age of the individual and to gain consent for processing from their parent or legal guardian.

Security

You should do a review of the applications you use to process data and the technical protections you have in place to ensure its safety. Liaise with IT & solutions experts to determine if the systems you have in place provide adequate protections and enable you to deliver on your obligations to individuals and their rights. Consolidating the personal information your business processes into fewer systems makes it easier to manage, to protect and to enable the individuals' rights. If you manage the personal information of your customers across spreadsheets or unstructured documents, now may be the right time to invest in a CRM that can put better controls around it and  a secure filesharing mechanism that better enables you to meet the requirements of GDPR. You should be keeping personal information out of email unless there are appropriate protections on it and you are able to meet the individual’s rights by using that system (right to erasure, accuracy, portability etc).

The GDPR is a technology agnostic regulation. It does note however in Article 32 that having taken into account “the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk”.

Now obviously, cost could be a barrier to many small businesses affording the state of the art and the GDPR is pragmatic about this. You should assess your capability, the resources that you have available, the risk relating to the types of processing that you are doing and the likely impact on the individuals should your protective measures fail. It’s a balancing act between aspiration and the reality of what is achievable. Be pragmatic but make considered, purposeful and consistent progress towards improving the security measures you have in place.

Data Protection Responsibility

Some companies, either because of their size (> 250 employees), the types of processing that they undertake (high risk, monitoring large groups of people) or the sensitivity of the information that they process (see sensitive categories of data under GDPR) are mandated to appoint a Data Protection Officer. This role comes with legal responsibilities.

If you are not required to appoint a DPO, you still need the expert knowledge on hand either through in-house appointment or external relationships to be able to respond to your data protection needs. It is well worth investing in the training and resources needed to have this expertise available for your business. Compliance is an ongoing exercise that takes constant monitoring and improvement as requirements and practices evolve. Having a person dedicated to ensuring your business meets these challenges is key.

Review your Suppliers and Third Parties

If you share the personal information of your customers with any suppliers or third parties (e.g. cloud-based SaaS services), ensure that you have a contract with them that clearly stipulates how they are to process the information that you share. It is important to understand whether the information you share with them is then processed by further sub-processors, what protections they have on the data that you share and whether you can still enable your customers rights as conferred under GDPR. This could be through model-contracts, binding corporate rules, adequacy decisions or appropriate mechanism such as Privacy Shield for transfers to the U.S. Your customers should be informed of these relationships and how their data may be processed by third parties via your Privacy Policy. 

GDPR Preparation Info Sheet

I've compiled a list of the areas your should be thinking about as a small business for your GDPR preparation. Download your free GDPR preparation for small businesses info sheet.

GET GDPR INFO SHEET

 

I hope this guide has been of some use to you in starting your compliance journey. Beyond doing your initial discovery exercise to highlight your current gaps, compliance is an ongoing effort that takes consistent monitoring and implementation to ensure that it is enforced and evolves with the business. The GDPR is a mind-shift for many and drives home that the business does not own the data that it holds – it is merely a custodian of it. Those who embrace the GDPR with both hands will stand to have a competitive advantage with their customers by demonstrating that they take their obligations to them seriously and isn’t that the kind of operation that they should want to do business with?

LET'S KEEP IN TOUCH

From time to time I send a digest of my latest updates. With premium content just for my subscribers. If that sounds like something you'd be interested in, signup below!

By providing your email address you agree to Serve IT contacting you. More information is available in our Privacy Statement.

How can I help?

I work with a multidisciplinary team covering the Technical, Operational and Legal aspects of compliance. If you're struggling with meeting your Data Protection needs feel free to reach out and see if I can help.

- Alan

topics mentioned in this article

Author

Alan Mac Kenna

Alan Mac Kenna

Development & Data Protection Consultant

More Info

About Alan Mac Kenna


I help my clients achieve their business goals by putting the systems and processes in place to build their brand, get more customers and grow their profits. As a certified Umbraco CMS Master and Data Protection Officer, I can help you build your web presence with a Data Protection by Design approach that helps you be accountable under EU regulations like the GDPR. Explore my service offering and feel free to get in touch if you'd like to work together.


Back

Latest Posts