While preparation for GDPR may be running at a good clip in businesses large enough to dedicate the time and resources to examining what they need to be doing to close the gap to compliance, many small and micro businesses are struggling with finding the room to fit in and perhaps to budget for anything outside of what they do day-to-day to run a great business and service their customers. The GDPR, however, is not just aimed at large businesses—any business that is established or processes the personal information of individuals in the EU falls into scope. With that in mind, it’s important for small and micro businesses to be putting their best foot forward and firming up what actions they can take to meet the requirements in the run up to the enforcement date of May 25th.
At its core, the GDPR is about providing transparency in how you collect personal information, ensuring you process it under a fair and lawful basis, provide suitable protections for it and enable an individuals’ rights while you are a custodian of their data.
Where to start?
If you’re a sole-trader or a small operation with a handful of staff the good news is that for many of you, a few well-targeted adjustments to how you do business can likely close the bigger gaps in compliance that come in scope of the GDPR and put yourself on the right course to fuller accountability. As with anything that requires effort and has reward, you’re going to need to dedicate time and thinking into developing your approach – if you’re a member of a small business group or know other small business owners that could benefit, perhaps organising a workshop (as I’ve seen happen here in the co-working community of Boxworks) to pool your shared knowledge & experience to tackle the challenges that you face in becoming compliant.
Somebody needs to take charge
This project needs an owner and in many small businesses, unless you’re hiring outside help, you won’t be looking too far to find your GDPR project lead. It could be you or one of your staff that may be more suited to the role. Whoever it is, it is important that they have the authority to approach the task from a non-biased perspective, they need to be able to ask the hard questions about how and why you are processing personal information, assess the protections you afford it and measure how well your business meets its obligations under GDPR. Whether it’s a small GDPR taskforce that you assign or a single individual - they need to have the power to instigate change.
It’s important to have a systematic approach to planning and executing your GDPR compliance project. If you don’t already have a favourite project management software application that you use, and you think pen and paper may not be enough, something like a kanban approach using Trello could be just what you need to keep track of to-do’s, in-progress and completed items while working with a small team or even just for yourself.
Start with Awareness
Whatever the size of your business, it’s important that your staff are clear on the role that they play in helping your business achieve compliance. Assigning a person with the responsibility of ensuring staff training and implementation of the measures required to achieve compliance with the GDPR is key.
Accountability – Discover your Data
To meet your Article 30 obligations, you should create a record of your processing activities. It is an important exercise and likely the first time many small businesses will have sat down and considered all the data that they collect and manage in their business. A useful approach to beginning this exercise is to consider the various business processes that enable your operations. At what point is personal information given to you (e.g. a service application)?
- Record the purpose you collect it for;
- Assign risk levels to the data - (Low, Medium, High);
- Note whether each data item is considered a sensitive category of data under the GDPR;
- Record the legal basis for processing;
- Identify any processors and sub-processors involved in processing what you collect and note the data that is transferred to them;
- Assess if you can enable Data Subject rights against the information that you collect and process;
Businesses need to be far more transparent with their customers than has typically been the case in the past about how they collect and process personal information. Gone are the days of burying your privacy info in pages of legalese. It needs to be easily accessible and easily understood. Relevant privacy information should be delivered in-context to the user at the point of data collection.
Data Subject Rights
Consider for the personal information that you hold, how you will deliver an individual’s rights under the GDPR. It is important to be aware that an individual’s rights are not absolute and, in some cases, can be overridden (e.g. by another lawful basis such as a legal obligation). Putting in place the procedures to handle access requests to information relating to your customer, the right to erasure etc. are things you should be considering how to facilitate. Don’t forget that your staff are individuals too!
Data Breach Procedure
Aside from procedures to handle individuals rights – you should be putting in place action plans to respond to a potential Data Breach. We all don’t think it will happen to us, but the stats don’t lie and key to successful management of such an event is being pro-active about planning for it and not re-actively chasing your tail trying to figure out how best to respond in crisis-mode. You have 72 hours from becoming aware of a breach to notify the Supervisory Authority and you have notification obligations to those involved also.
Lawful Basis for Processing
If consent is a legal basis that you process personal information under, you will need to assess if you hold valid consent under GDPR. To be valid consent must be:
- Freely given;
- Specific to the purposes it was collected for;
- Active opt-in consent;
- As easy to withdraw as it was given;
As I've noted previously, I see consent as problematic for many small businesses if they are unable to demonstrate that they attained valid consent. If this is the basis that you are processing personal information on (including for such processing as sending newsletters and promotional offers), you should consider if you hold valid consent from your customers. If not, you may need to run a re-permission campaign to do so before May 25th, the GDPR enforcement date.
GDPR & Children
If you are processing the personal information of minors, you should have procedures in place to verify the age of the individual and to gain consent for processing from their parent or legal guardian.
You should do a review of the applications you use to process data and the technical protections you have in place to ensure its safety. Liaise with IT & solutions experts to determine if the systems you have in place provide adequate protections and enable you to deliver on your obligations to individuals and their rights. Consolidating the personal information your business processes into fewer systems makes it easier to manage, to protect and to enable the individuals' rights. If you manage the personal information of your customers across spreadsheets or unstructured documents, now may be the right time to invest in a CRM that can put better controls around it and a secure filesharing mechanism that better enables you to meet the requirements of GDPR. You should be keeping personal information out of email unless there are appropriate protections on it and you are able to meet the individual’s rights by using that system (right to erasure, accuracy, portability etc).
The GDPR is a technology agnostic regulation. It does note however in Article 32 that having taken into account “the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk”.
Now obviously, cost could be a barrier to many small businesses affording the state of the art and the GDPR is pragmatic about this. You should assess your capability, the resources that you have available, the risk relating to the types of processing that you are doing and the likely impact on the individuals should your protective measures fail. It’s a balancing act between aspiration and the reality of what is achievable. Be pragmatic but make considered, purposeful and consistent progress towards improving the security measures you have in place.
Data Protection Responsibility
Some companies, either because of their size (> 250 employees), the types of processing that they undertake (high risk, monitoring large groups of people) or the sensitivity of the information that they process (see sensitive categories of data under GDPR) are mandated to appoint a Data Protection Officer. This role comes with legal responsibilities.
If you are not required to appoint a DPO, you still need the expert knowledge on hand either through in-house appointment or external relationships to be able to respond to your data protection needs. It is well worth investing in the training and resources needed to have this expertise available for your business. Compliance is an ongoing exercise that takes constant monitoring and improvement as requirements and practices evolve. Having a person dedicated to ensuring your business meets these challenges is key.
Review your Suppliers and Third Parties
GDPR Preparation Info Sheet
I hope this guide has been of some use to you in starting your compliance journey. Beyond doing your initial discovery exercise to highlight your current gaps, compliance is an ongoing effort that takes consistent monitoring and implementation to ensure that it is enforced and evolves with the business. The GDPR is a mind-shift for many and drives home that the business does not own the data that it holds – it is merely a custodian of it. Those who embrace the GDPR with both hands will stand to have a competitive advantage with their customers by demonstrating that they take their obligations to them seriously and isn’t that the kind of operation that they should want to do business with?