Skip to main content

Complying with GDPR as a small to medium-sized business

If your company sells to, provides services to, or employs citizens of the European Union, then you must comply with the GDPR. Let’s briefly consider what the GDPR is, its key requirements and principles for small businesses, and what can make it easier to comply.

Note that requirements will vary based on the nature of your business and other factors. The recommendations in this GDPR compliance guide can help you manage and protect your data, but they are not a guarantee of GDPR compliance.  

Introduction to the GDPR for small businesses

The GDPR is an EU regulation intended to protect the privacy of people’s data. GDPR right and protections cover anyone who lives in the EU, along with every EU citizen, wherever they live in the world. The GDPR contains principles and specific requirements for how data is collected and used, when and how it can be shared, and when it should be deleted. 

Principles of the GDPR

GDPR article 5 lists a string of principles for data processing. If you and your employees have a solid grasp of these principles, it will be much easier to apply the GDPR and know what to do —and what not do— in any situation where you handle personal data. Here is a summary of GDPR principles and what they mean for your company:

Lawfulness, fairness and transparency
Only collect personal data if you have a legal basis for doing so. Don’t do anything with personal data that might harm or embarrass the person. Don’t deceive people about what you do with their data.

Purpose limitation
Don’t use the data for any other purposes than the ones listed in your policies and consent forms. Delete personal data you no longer need.

Data minimization
Don’t collect more data than you need. Don’t collect or keep personal and especially sensitive data if you don’t need to. Clean up your data storage regularly.

Make sure the personal data you collect is accurate, and keep the personal data you store up to date. It is a good idea to ask people from time to time if their information has changed.

Storage limitation
Set a retention period for data and stick to it. Inventory your data regularly. Don’t let personal data linger in your systems endlessly. Delete it.

Integrity and confidentiality
Keep people’s personal data safe. Protect data privacy with technical measures like passwords, ID verification, and encryption. Decide which of your people and departments should have access to personal and sensitive data, then put policies in place to make sure unauthorised persons will not see it.

You are responsible for the data you and your employees store. Keep documentation of your data processing, storage practices, and staff training to demonstrate compliance and be ready to give people information about their data when they ask for it.

Want to clean up your emails for sensitive information?

With an analysis scan by DataMapper, you can have all Outlook accounts in your company scanned. You will receive key statistics on all (current and former) employees' emails - including information on which emails, employees and processes generate GDPR risk.

Types of data that get protection

You and your employees should know how to quickly recognize the types of data that are protected under the GDPR:

Personal data
Personal data is defined as data that can be linked to a certain person and used to identify them. This includes a person’s name, address, date of birth, IP address, and more. Most of the information and images of employees and customers will count as personal data. 

Sensitive personal data
Sensitive personal data is a specific category of data that gets special protection because its disclosure could cause the person harm or violate their privacy. This includes religion, trade union membership, ethnic origin, biometric data, DNA, etc. All data related to children and images of children should also be considered as special categories/sensitive data and treated with special care. 

Step-by-step GDPR compliance guide

This section describes some basic steps SMBs can take to get ready for GDPR. The steps listed are based on information provided through the Publications Office of the European Union here, along with our own tips to make compliance easier. 

Step 1: Find out what data your company has collected and why
Map your data. Make an inventory of the personal data your company has collected and where it is and why it’s needed.  

Did you get consent, or have a legitimate reason for collecting the data? 

Our tip: A data discovery tool can help you discover, classify, and continuously monitor the sensitive information your company has collected.  

Step 2: Inform people when you collect their personal data
Let people know that you process their personal data and tell them why.  

If you ask people for an email address on your sign-up forms, make sure you link your privacy policy and state specifically what you intend to do with their information; for example, that you intend to send them promotions and news about your products. 

You can skip this in some cases, for instance, if someone orders something from you and provides you with a home address for delivery. 

You must also inform individuals about the personal data you hold about them, on request, and give them access to their data. Being organized with your data makes it easier to provide this information in a timely manner. 

Our tip: Use a data discovery tool to pull up a specific person’s data instantly in response to Data subject accesss requests (DSARs). Add a DSR portal for easier request fulfillment. 

Step 3: Set data retention limits and delete data you no longer need
Make sure you only keep employee data as long as the employment relationship and related legal obligations last. Keep customer data as long as the customer relationship and related legal obligations last. Delete all personal data when you no longer use it for the purposes for which you collected it. 

Our tip: A data discovery tool highlights old and high-risk files so you can review and delete them to minimise risk. 

Step 4: Protect personal data
Limit access to high-risk files. Use encryption and strong passwords. Establish policies for employees to protect their emails, cloud accounts, devices and any physical documents that contain personal data to make sure unauthorized persons cannot gain access to them. 

Manage permissions to files and folders, centralized secure locations to save your files (OneDrive or SharePoint document libraries), and use data encryption if you share files with colleagues or share company files with others.

Our tip: A data discovery tool can tell you which of your team members stores the most sensitive data. Starting with these employees, make sure everyone follows your security policies. 

Step 5: Document your data processing activities
Prepare a short document explaining what types of personal data you hold and for what reasons. You might be required to make the documentation available to your national data protection authority if needed. 

Such a document should include the information listed below. 

Information  Examples 
The purpose of data processing  Alerting customers about special offers such as providing home delivery; paying suppliers; salary and social security coverage for employees 
The types of personal data  Contact details of customers; contact details of suppliers; employee data 
The categories of data subjects concerned  Employees; customers; suppliers 
The categories of recipients  Labor authorities; tax authorities 
The storage periods  Employees’ personal data until the end of the employment contract (and related legal obligations); customers’ personal data until the end of the client/contractual relationship 
The technical and organizational security measures to protect the personal data  IT system solutions regularly updated; secured location; access control; data encryption; data backup 
Whether personal data is transferred to recipients outside the EU  Use of a processor outside the EU (for example, storage in the cloud); data location of the processor; contractual commitments 

 Our tip: The information you get from a data discovery tool can be used to demonstrate compliance in case of audit.  

Get our Newsletter!

In our newsletter you get tips and tricks for dealing with privacy management from our founder Sebastian Allerelli.

When you sign up for our newsletter you get a license for one user to ShareSimple, which will give you a secure email in Outlook. This special offer is for new customers only, with a limit of one freebie per company.

Step 6: Make sure your subcontractors respect the rules
If you sub-contract processing of personal data to another company, only use a service provider who guarantees the processing in compliance with the requirements of the GDPR (for instance, security measures). 

Our tip: As part of your data inventory, find out who your data processors are, and make sure they are listed in your privacy policy. 

Step 7: Appoint a DPO or assign someone to oversee personal data protection
Appoint a Data Protection Officer (DPO) if: 

  • If processing personal data is a core part of your business. 
  • You process data on a large scale.  

Small businesses may not be required to appoint a DPO. For example, if your business only collects data on your customers for home delivery, you should not need to appoint a DPO.  

If you need to a DPO, an SMB can assign an existing employee to cover DPO duty in addition to his/her other tasks, or hire an external consultant or service. 

Our tip: Using automated data discovery makes it easy for anyone to perform DPO tasks. 

Step 8: Consider performing Data Protection Impact Assessments (DPIAs)
Data Protection Impact Assessments are required for businesses that conduct activities that may pose special risks to personal data. For example, large-scale monitoring/video surveillance of a publicly accessible area where you would collect images of people, especially images of children. 

On the other hand, if you are a small business that just manages employee wages, lists of clients, etc., you would not be required to perform Data Protection Impact Assessments.

Our tip: If you begin new or risky activities that involve processing personal data, performing a basic DPIA can be a good exercise to evaluate your own practices and can reduce the risk of data breaches and limit liability in case data is leaked. A data discovery tool makes it easy. 

The easy way to comply with GDPR for SMBs

At Safe Online, we have developed the data discovery tool DataMapper. The tool is created for small and medium-sized companies to comply with GDPR. In addition, we have also designed RequestManager and ShareSimple.

DataMapper - find your sensitive data
ShareSimple - send and recieve data securely in Outlook
RequestManager - process data subject requests easily

Sebastian Allerelli

Founder & COO at Safe Online
Governance, Risk & Compliance Specialist
Follow me on LinkedIn to get tips on GDPR →