Skip to main content

GDPR compliance guide for small businesses

If your company sells to, provides services to, or employs citizens of the European Union, then you must comply with the GDPR. Let’s briefly consider what the GDPR is, its key requirements and principles for small businesses, and what can make it easier to comply.

Note that requirements will vary based on the nature of your business and other factors. The recommendations in this GDPR compliance guide can help you manage and protect your data, but they are not a guarantee of GDPR compliance.  

Introduction to the GDPR for small businesses

The GDPR is an EU regulation intended to protect the privacy of people’s data. GDPR right and protections cover anyone who lives in the EU, along with every EU citizen, wherever they live in the world. The GDPR contains principles and specific requirements for how data is collected and used, when and how it can be shared, and when it should be deleted. 

Principles of the GDPR

GDPR article 5 lists principles for data processing.

If you and your employees have a solid grasp of these principles, it will be much easier to apply the GDPR and know what to do —and what not do— in any situation where you handle personal data.

Here is a summary of GDPR principles and what they mean for your company:

Lawfulness, fairness and transparency

Only collect personal data if you have a legal basis for doing so. Don’t do anything with personal data that might harm or embarrass the person. Don’t deceive people about what you do with their data.

Purpose limitation

Don’t use the data for any other purposes than the ones listed in your policies and consent forms. Delete personal data you no longer need.

Data minimization

Don’t collect more data than you need. Don’t collect or keep personal and especially sensitive data if you don’t need to. Clean up your data storage regularly.

Accuracy

Make sure the personal data you collect is accurate, and keep the personal data you store up to date. It is a good idea to ask people from time to time if their information has changed.

Storage limitation

Set a retention period for data and stick to it. Inventory your data regularly. Don’t let personal data linger in your systems endlessly. Delete it.

Integrity and confidentiality

Keep people’s personal data safe. Protect data privacy with technical measures like passwords, ID verification, and encryption. Decide which of your people and departments should have access to personal and sensitive data, then put policies in place to make sure unauthorised persons will not see it.

Accountability

You are responsible for the data you and your employees store. Keep documentation of your data processing, storage practices, and staff training to demonstrate compliance and be ready to give people information about their data when they ask for it.

Types of data that get protection

You and your employees should know how to quickly recognize the types of data that are protected under the GDPR:

Personal data

Personal data is defined as data that can be linked to a certain person and used to identify them. This includes a person’s name, address, date of birth, IP address, and more. Most of the information and images of employees and customers will count as personal data. 

Sensitive personal data

Sensitive personal data is a specific category of data that gets special protection because its disclosure could cause the person harm or violate their privacy. This includes religion, trade union membership, ethnic origin, biometric data, DNA, etc. All data related to children and images of children should also be considered as special categories/sensitive data and treated with special care. 

Step-by-step GDPR compliance guide

This section describes some basic steps SMBs can take to get ready for GDPR. The steps listed are based on information provided through the Publications Office of the European Union here, along with our own tips to make compliance easier. 

Step 1: Find out what data your company has collected and why

Map your data. Make an inventory of the personal data your company has collected and where it is and why it’s needed.  

Did you get consent, or have a legitimate reason for collecting the data? 

Our tip: DataMapper can help you discover, classify, and continuously monitor the sensitive information your company has collected.  

Step 2: Inform people when you collect their personal data

Let people know that you process their personal data and tell them why.  

If you ask people for an email address on your sign-up forms, make sure you link your privacy policy and state specifically what you intend to do with their information; for example, that you intend to send them promotions and news about your products. 

You can skip this in some cases, for instance, if someone orders something from you and provides you with a home address for delivery. 

You must also inform individuals about the personal data you hold about them, on request, and give them access to their data. Being organized with your data makes it easier to provide this information in a timely manner. 

Our tip: Use DataMapper to pull up a specific person’s data instantly in response to Data subject accesss requests (DSARs). Add our RequestManager for easier request fulfillment. 

Step 3: Set data retention limits and delete data you no longer need

Keep employee data: As long as the employment relationship and related legal obligations last. 

Keep customer data: As long as the customer relationship and related legal obligations last. 

Delete all personal data when you no longer use it for the purposes for which you collected it. 

Our tip: DataMapper highlights old and high-risk files so you can review and delete them to minimise risk. 

Step 4: Protect personal data

Limit access to high-risk files. Use encryption and strong passwords. Establish policies for employees to protect their emails, cloud accounts, devices and any physical documents that contain personal data to make sure unauthorized persons cannot gain access to them. 

Manage permissions to files and folders, centralized secure locations to save your files (OneDrive or SharePoint document libraries), and use data encryption if you share files with colleagues or share company files with others.

Our tip: DataMapper can tell you which of your team members stores the most sensitive data. Starting with these employees, make sure everyone follows your security policies. 

Step 5: Document your data processing activities

Prepare a short document explaining what types of personal data you hold and for what reasons. You might be required to make the documentation available to your national data protection authority if needed. 

Such a document should include the information listed below. 

Information  Examples 
The purpose of data processing  Alerting customers about special offers such as providing home delivery; paying suppliers; salary and social security coverage for employees 
The types of personal data  Contact details of customers; contact details of suppliers; employee data 
The categories of data subjects concerned  Employees; customers; suppliers 
The categories of recipients  Labor authorities; tax authorities 
The storage periods  Employees’ personal data until the end of the employment contract (and related legal obligations); customers’ personal data until the end of the client/contractual relationship 
The technical and organizational security measures to protect the personal data  IT system solutions regularly updated; secured location; access control; data encryption; data backup 
Whether personal data is transferred to recipients outside the EU  Use of a processor outside the EU (for example, storage in the cloud); data location of the processor; contractual commitments 

 Our tip: The information you get on your DataMapper dashboard and risk documents tables can be used to demonstrate compliance in case of audit.  

Want more free data privacy tips?

Get the latest data privacy management news, trends and expert tips delivered straight to your inbox.

    Step 6: Make sure your subcontractors respect the rules 

    If you sub-contract processing of personal data to another company, only use a service provider who guarantees the processing in compliance with the requirements of the GDPR (for instance, security measures). 

    Our tip: As part of your data inventory, find out who your data processors are, and make sure they are listed in your privacy policy. 

    Step 7: Appoint a DPO or assign someone to oversee personal data protection

    Appoint a Data Protection Officer (DPO) if: 

    • If processing personal data is a core part of your business. 
    • You process data on a large scale. 
       

    Small businesses may not be required to appoint a DPO. For example, if your business only collects data on your customers for home delivery, you should not need to appoint a DPO.  

    If you need to a DPO, an SMB can assign an existing employee to cover DPO duty in addition to his/her other tasks, or hire an external consultant or service. 

    Our tip: Using automated data discovery makes it easy for anyone to perform DPO tasks. 

    Step 8: Consider performing Data Protection Impact Assessments (DPIAs) 

    Data Protection Impact Assessments are required for businesses that conduct activities that may pose special risks to personal data. For example, large-scale monitoring/video surveillance of a publicly accessible area where you would collect images of people, especially images of children. 

    On the other hand, if you are a small business that just manages employee wages, lists of clients, etc., you would not be required to perform Data Protection Impact Assessments.

    Our tip: If you begin new or risky activities that involve processing personal data, performing a basic DPIA can be a good exercise to evaluate your own practices and can reduce the risk of data breaches and limit liability in case data is leaked. DataMapper makes it easy. 

    Would you like to see how easy it is to comply with the GDPR with DataMapper? Try it now →

    Sebastian Allerelli

    Governance, risk, and compliance specialist