Complying with GDPR as a small to medium-sized business
If your company sells to, provides services to, or employs citizens of the European Union, then you must comply with the GDPR. Let’s briefly consider what the GDPR is, its key requirements and principles for small businesses, and what can make it easier to comply.
Note that requirements will vary based on the nature of your business and other factors. The recommendations in this GDPR compliance guide can help you manage and protect your data, but they are not a guarantee of GDPR compliance.
Introduction to the GDPR for small businesses
The GDPR is an EU regulation intended to protect the privacy of people’s data. GDPR right and protections cover anyone who lives in the EU, along with every EU citizen, wherever they live in the world. The GDPR contains principles and specific requirements for how data is collected and used, when and how it can be shared, and when it should be deleted.
Principles of the GDPR
GDPR article 5 lists a string of principles for data processing. If you and your employees have a solid grasp of these principles, it will be much easier to apply the GDPR and know what to do —and what not do— in any situation where you handle personal data. Here is a summary of GDPR principles and what they mean for your company:
Lawfulness, fairness and transparency
Only collect personal data if you have a legal basis for doing so. Don’t do anything with personal data that might harm or embarrass the person. Don’t deceive people about what you do with their data.
Don’t use the data for any other purposes than the ones listed in your policies and consent forms. Delete personal data you no longer need.
Don’t collect more data than you need. Don’t collect or keep personal and especially sensitive data if you don’t need to. Clean up your data storage regularly.
Make sure the personal data you collect is accurate, and keep the personal data you store up to date. It is a good idea to ask people from time to time if their information has changed.
Set a retention period for data and stick to it. Inventory your data regularly. Don’t let personal data linger in your systems endlessly. Delete it.
Integrity and confidentiality
Keep people’s personal data safe. Protect data privacy with technical measures like passwords, ID verification, and encryption. Decide which of your people and departments should have access to personal and sensitive data, then put policies in place to make sure unauthorised persons will not see it.
You are responsible for the data you and your employees store. Keep documentation of your data processing, storage practices, and staff training to demonstrate compliance and be ready to give people information about their data when they ask for it.
Types of data that get protection
You and your employees should know how to quickly recognize the types of data that are protected under the GDPR:
Personal data is defined as data that can be linked to a certain person and used to identify them. This includes a person’s name, address, date of birth, IP address, and more. Most of the information and images of employees and customers will count as personal data.
Sensitive personal data
Sensitive personal data is a specific category of data that gets special protection because its disclosure could cause the person harm or violate their privacy. This includes religion, trade union membership, ethnic origin, biometric data, DNA, etc. All data related to children and images of children should also be considered as special categories/sensitive data and treated with special care.
Step-by-step GDPR compliance guide
This section describes some basic steps SMBs can take to get ready for GDPR. The steps listed are based on information provided through the Publications Office of the European Union here, along with our own tips to make compliance easier.
Step 1: Find out what data your company has collected and why
Map your data. Make an inventory of the personal data your company has collected and where it is and why it’s needed.
Did you get consent, or have a legitimate reason for collecting the data?
Our tip: A data discovery tool can help you discover, classify, and continuously monitor the sensitive information your company has collected.
Step 2: Inform people when you collect their personal data
Let people know that you process their personal data and tell them why.
You can skip this in some cases, for instance, if someone orders something from you and provides you with a home address for delivery.
You must also inform individuals about the personal data you hold about them, on request, and give them access to their data. Being organized with your data makes it easier to provide this information in a timely manner.
Our tip: Use a data discovery tool to pull up a specific person’s data instantly in response to Data subject accesss requests (DSARs). Add a DSR portal for easier request fulfillment.
Step 3: Set data retention limits and delete data you no longer need
Make sure you only keep employee data as long as the employment relationship and related legal obligations last. Keep customer data as long as the customer relationship and related legal obligations last. Delete all personal data when you no longer use it for the purposes for which you collected it.
Our tip: A data discovery tool highlights old and high-risk files so you can review and delete them to minimise risk.
Step 4: Protect personal data
Limit access to high-risk files. Use encryption and strong passwords. Establish policies for employees to protect their emails, cloud accounts, devices and any physical documents that contain personal data to make sure unauthorized persons cannot gain access to them.
Manage permissions to files and folders, centralized secure locations to save your files (OneDrive or SharePoint document libraries), and use data encryption if you share files with colleagues or share company files with others.
Our tip: A data discovery tool can tell you which of your team members stores the most sensitive data. Starting with these employees, make sure everyone follows your security policies.
Step 5: Document your data processing activities
Prepare a short document explaining what types of personal data you hold and for what reasons. You might be required to make the documentation available to your national data protection authority if needed.
Such a document should include the information listed below.
|The purpose of data processing||Alerting customers about special offers such as providing home delivery; paying suppliers; salary and social security coverage for employees|
|The types of personal data||Contact details of customers; contact details of suppliers; employee data|
|The categories of data subjects concerned||Employees; customers; suppliers|
|The categories of recipients||Labor authorities; tax authorities|
|The storage periods||Employees’ personal data until the end of the employment contract (and related legal obligations); customers’ personal data until the end of the client/contractual relationship|
|The technical and organizational security measures to protect the personal data||IT system solutions regularly updated; secured location; access control; data encryption; data backup|
|Whether personal data is transferred to recipients outside the EU||Use of a processor outside the EU (for example, storage in the cloud); data location of the processor; contractual commitments|
Our tip: The information you get from a data discovery tool can be used to demonstrate compliance in case of audit.
Step 6: Make sure your subcontractors respect the rules
If you sub-contract processing of personal data to another company, only use a service provider who guarantees the processing in compliance with the requirements of the GDPR (for instance, security measures).
Step 7: Appoint a DPO or assign someone to oversee personal data protection
Appoint a Data Protection Officer (DPO) if:
- If processing personal data is a core part of your business.
- You process data on a large scale.
Small businesses may not be required to appoint a DPO. For example, if your business only collects data on your customers for home delivery, you should not need to appoint a DPO.
If you need to a DPO, an SMB can assign an existing employee to cover DPO duty in addition to his/her other tasks, or hire an external consultant or service.
Our tip: Using automated data discovery makes it easy for anyone to perform DPO tasks.
Step 8: Consider performing Data Protection Impact Assessments (DPIAs)
Data Protection Impact Assessments are required for businesses that conduct activities that may pose special risks to personal data. For example, large-scale monitoring/video surveillance of a publicly accessible area where you would collect images of people, especially images of children.
On the other hand, if you are a small business that just manages employee wages, lists of clients, etc., you would not be required to perform Data Protection Impact Assessments.
Our tip: If you begin new or risky activities that involve processing personal data, performing a basic DPIA can be a good exercise to evaluate your own practices and can reduce the risk of data breaches and limit liability in case data is leaked. A data discovery tool makes it easy.
The easy way to comply with GDPR for SMBs
At Safe Online, we have developed the data discovery tool DataMapper. The tool is created for small and medium-sized companies to comply with GDPR. In addition, we have also designed RequestManager and ShareSimple.