GDPR compliance guide for small businesses

If your company sells to, provides services to, or employs citizens of the European Union, then you must comply with the GDPR. Let’s briefly consider what the GDPR is, its key requirements and principles for small businesses, and what can make it easier to comply.

Note that requirements will vary based on the nature of your business and other factors. The recommendations in this GDPR compliance guide can help you manage and protect your data, but they are not a guarantee of GDPR compliance.  

The GDPR is an EU regulation intended to protect the privacy of people’s data. GDPR right and protections cover anyone who lives in the EU, along with every EU citizen, wherever they live in the world. The GDPR contains principles and specific requirements for how data is collected and used, when and how it can be shared, and when it should be deleted. 

GDPR article 5 lists a string of principles for data processing. If you and your employees have a solid grasp of these principles, it will be much easier to apply the GDPR and know what to do —and what not do— in any situation where you handle personal data. Here is a summary of GDPR principles and what they mean for your company:

Lawfulness, fairness and transparency
Only collect personal data if you have a legal basis for doing so. Don’t do anything with personal data that might harm or embarrass the person. Don’t deceive people about what you do with their data.

Purpose limitation
Don’t use the data for any other purposes than the ones listed in your policies and consent forms. Delete personal data you no longer need.

Data minimization
Don’t collect more data than you need. Don’t collect or keep personal and especially sensitive data if you don’t need to. Clean up your data storage regularly.

Accuracy
Make sure the personal data you collect is accurate, and keep the personal data you store up to date. It is a good idea to ask people from time to time if their information has changed.

Storage limitation
Set a retention period for data and stick to it. Inventory your data regularly. Don’t let personal data linger in your systems endlessly. Delete it.

Integrity and confidentiality
Keep people’s personal data safe. Protect data privacy with technical measures like passwords, ID verification, and encryption. Decide which of your people and departments should have access to personal and sensitive data, then put policies in place to make sure unauthorised persons will not see it.

Accountability
You are responsible for the data you and your employees store. Keep documentation of your data processing, storage practices, and staff training to demonstrate compliance and be ready to give people information about their data when they ask for it.

You and your employees should know how to quickly recognize the types of data that are protected under the GDPR:

Personal data
Personal data is defined as data that can be linked to a certain person and used to identify them. This includes a person’s name, address, date of birth, IP address, and more. Most of the information and images of employees and customers will count as personal data. 

Sensitive personal data
Sensitive personal data is a specific category of data that gets special protection because its disclosure could cause the person harm or violate their privacy. This includes religion, trade union membership, ethnic origin, biometric data, DNA, etc. All data related to children and images of children should also be considered as special categories/sensitive data and treated with special care. 

This section describes some basic steps SMBs can take to get ready for GDPR. The steps listed are based on information provided through the Publications Office of the European Union here, along with our own tips to make compliance easier. 

Step 1: Find out what data your company has collected and why
Map your data. Make an inventory of the personal data your company has collected and where it is and why it’s needed.  

Did you get consent, or have a legitimate reason for collecting the data? 

Our tip: A data discovery tool can help you discover, classify, and continuously monitor the sensitive information your company has collected.  

Step 2: Inform people when you collect their personal data
Let people know that you process their personal data and tell them why.  

If you ask people for an email address on your sign-up forms, make sure you link your privacy policy and state specifically what you intend to do with their information; for example, that you intend to send them promotions and news about your products. 

You can skip this in some cases, for instance, if someone orders something from you and provides you with a home address for delivery. 

You must also inform individuals about the personal data you hold about them, on request, and give them access to their data. Being organized with your data makes it easier to provide this information in a timely manner. 

Our tip: Use a data discovery tool to pull up a specific person’s data instantly in response to Data subject accesss requests (DSARs). Add a DSR portal for easier request fulfillment. 

Step 3: Set data retention limits and delete data you no longer need
Make sure you only keep employee data as long as the employment relationship and related legal obligations last. Keep customer data as long as the customer relationship and related legal obligations last. Delete all personal data when you no longer use it for the purposes for which you collected it. 

Our tip: A data discovery tool highlights old and high-risk files so you can review and delete them to minimise risk. 

Step 4: Protect personal data
Limit access to high-risk files. Use encryption and strong passwords. Establish policies for employees to protect their emails, cloud accounts, devices and any physical documents that contain personal data to make sure unauthorized persons cannot gain access to them. 

Manage permissions to files and folders, centralized secure locations to save your files (OneDrive or SharePoint document libraries), and use data encryption if you share files with colleagues or share company files with others.

Our tip: A data discovery tool can tell you which of your team members stores the most sensitive data. Starting with these employees, make sure everyone follows your security policies. 

Step 5: Document your data processing activities
Prepare a short document explaining what types of personal data you hold and for what reasons. You might be required to make the documentation available to your national data protection authority if needed. 

Such a document should include the information listed below. 

 Our tip: The information you get from a data discovery tool can be used to demonstrate compliance in case of audit.  

Step 6: Make sure your subcontractors respect the rules
If you sub-contract processing of personal data to another company, only use a service provider who guarantees the processing in compliance with the requirements of the GDPR (for instance, security measures). 

Our tip: As part of your data inventory, find out who your data processors are, and make sure they are listed in your privacy policy. 

Step 7: Appoint a DPO or assign someone to oversee personal data protection
Appoint a Data Protection Officer (DPO) if: 

• If processing personal data is a core part of your business. 
• You process data on a large scale.  

Small businesses may not be required to appoint a DPO. For example, if your business only collects data on your customers for home delivery, you should not need to appoint a DPO.  

If you need to a DPO, an SMB can assign an existing employee to cover DPO duty in addition to his/her other tasks, or hire an external consultant or service. 

Our tip: Using automated data discovery makes it easy for anyone to perform DPO tasks.