Guide to GDPR for small businesses
No matter what size your business is if you are collecting and processing personal data the General Data Protection Regulation (GDPR) applies to you!
Personal data is any information that relates to an identified or identifiable living person. This could be information like a name, address, or telephone number. Personal Data can also be information that when collected together can lead to the identification of a particular person by their habits or tastes, such as a IP address. Whether you collect or process personal data on a small or large scale, you come under the scope of the GDPR as a data controller. You must comply with the data protection rules in GDPR when you process personal data.
You also have to be aware of the Scope of GDPR. This is outlined in Article 3 of the Regulation. In simple terms, it is how far GDPR reaches with not only the transfer of data but the organisations compliance with the GDPR requirements.
For example, if you sell products and export them to people in the EU or the UK then GDPR may apply to your collection of people’s data. If you are in the United States and sell goods to residents of the EU, you have to comply with GDPR and have a representative in the EU to act as a point of contact for your customers. The same will be said for the UK now they have left the EU.
What is the purpose of the GDPR to a small business?
The General Data Protection Regulation (GDPR) came into effect on 25 May 2018. The GDPR is a legal framework that sets guidelines for the collection and processing of personal data from individuals who live in the European Union. The regulation aims to protect the personal information of individuals and give them more control over how their data is processed.
The use of data has grown to such an extent that people are giving their information away multiple times a day. With the devices used today, from phones that could run a small business to biometric entry to buildings, the data organisations process is huge.
When the first data protection law came out in the 80’s it was only to do with electronic data, not paper, and did not in any way help to protect peoples data in the way data is used today, so GDPR brings all that into one single regulation, it standardizes all the EU countries, so they are all working from the same song sheet.
GDPR is also now the foundation of all other countries’ data protection laws. Take the POPPI, South Africa’s data protection law. It is based on GDPR, the same principles, same data subject rights, etc. The CCPA is the same and so on.
GDPR is a very important piece of regulation and goes a long way to protecting people’s personal data.
How can a small business become GDPR compliant?
For small businesses, GDPR compliance can seem a daunting task. But here is a GDPR compliance checklist that you need to make sure your business has in place to reach an appropriate level of GDPR operational compliance.
Your policies are essential for the internal application of Data protection and guidance for employees on handling data. Employees must understand: how to keep data secure, who is their point of contact for data protection matters, how to handle Data Subject Access Requests, the procedure for dealing with a Breach etc. Internal policies when adhered to can save your business time and money by handling these situations correctly.
Do not write policies with legal speak, quoting Articles of Law and really long detailed documents. They may look clever and make you feel that you have covered all the bases, but no one who works for you will understand them. Write your policies in simple plain language that every employee will understand. Give a policy to a 10-year-old and ask them to read it, if they understand it, they are good policies.
Make the short, 10-15 pages long at most and split them up into separate policies, so a Breach policy, Subject rights Policy, and so on.
It is important to keep 3 main types of logs/registers for data protection compliance: a data breach log, data subject rights log, and processing activities workbook.
Data Breach Log
A data breach log is where you log the details of any data breaches or data incidents, such as; when the breach occurred, who was involved, what data was breached, the impact of the breach, and how it was handled. This register is vital to demonstrate the steps taken to mitigate the risks associated with data breaches and the business and the data subjects affected.
This is one of the main logs you will be asked for by a Supervisory Authority if you are ever audited by them, so it is very important to log every breach or incident, no matter how small.
Data Subject Rights Log
A Data subject rights log is where you log the details of DSAR’s you receive. This log must contain: who made the request, what data was requested, proof of identity, the length of time to respond the request, and a copy of the response. This log is vital to demonstrate your compliance with the rights of your customers and can protect you if the individual making the request decided to make a complaint.
One of the exemptions to refuse to provide information is the repetitiveness of a request., If you do not log these requests you will have no way to prove it is indeed repetitive.
Record of Processing Activities Register
A processing activity register enables you to keep a record of all your business processing activities where you collect, process, store, and delete personal data. For each processing activity, it is a good idea to state: what categories of personal data are collected, how it is stored, who has access, security measures, the lawful basis for processing, risks, and mitigation. This register is important to demonstrate your business is compliant with data protection laws and requirements.
This is the main register to show your accountability as a data controller, you can go to this register to see what your legal basis is to process the data, your retention period, any risks etc. You must have this register in place and build your policies etc around what data you process.
Businesses of all sizes can experience a Data Breach or a Data Subject Access request from individuals. It is important to have a procedure in place for when this situation occurs. A Data breach procedure explains to employees what they must do in the event of a breach, who within your organisation should be notified, how to report a breach to the information commissioners office (ICO) the data protection authority in the UK.
Similarly, if a data subject requests access to the data (DSAR) you hold on them, you must legally provide this. You must have a procedure in place that informs staff how to handle and respond to a DSAR and who in your organisation to communicate a request to. These measures will save your business time and money when your employees understand how to handle DSAR requests and data breaches.
Data Protection Officer (DPO) or Manager (DPM):
You may wish to appoint a data protection officer or manager within your organisation or an external body that is a point of contact for employees. The DPO/M acts as a point of contact for any day-to-day matters, assists with handling data subject access requests and data breaches and any other general inquiries about data protection from your employees or others outside your organisation.
As a data controller, you are responsible for ensuring your employee have an understanding of Data Protection requirements and how they are implemented into your business. All employees need a basic understanding of what personal data is, why it needs to be safeguarded and how to do so. This training is essential, as problems or breaches occur when employees are not aware of the law or how it applies to their role.
To find out what your business offers, most people will visit your website. The same applies to data protection, customers will go to your website to find out more about how you will protect their data. You must have a privacy notice on your website that will explain to visits: what data you collect from them, your purpose for collecting, how you process and store that data, how long you keep it for, when and how it is disposed of, the rights of your customers, a contact within your organisation if they have any further questions, and the contact details of the ICO if they wish to make a complaint. Many businesses mistakenly think their privacy notice only applies to the data they collect from their website (such as cookies) however, the privacy notice should state the personal data you collect from customers to provide your services to them and your ongoing relationship with them.
CookieScan has recently added a data rights function. You can now enforce one of your data protection rights and contact the website owners directly, submitting a data subject access request, object to processing, ask for data to be corrected and so on. CookieScan is the first to offer this and combine both the data protection laws and the ePrivacy Regulations, or your own local laws.
Do all companies have to be GDPR compliant?
You must be GDPR compliant if you are either operating in the EU or your customers are based in the EU. If you operate in that jurisdiction that means that is where your business is based. So if you are based in France for example you have to comply with GDPR. If your customer is based in an EU country, even if you are not, you have to be compliant with GDPR. For example, if your company is based in Jersey but your clients or those that visit your website are based in the EU you must comply with the GDPR. If neither of the above scenarios applies to your business, then you do not have to comply with the GDPR. However, there may be other Data Protection laws within your jurisdiction that you will need to comply with.
Do small businesses need to pay for data protection?
How you choose to reach and monitor compliance with data protection requirements varies for every business. Some businesses choose to source Internally, whereas others choose to employ external data protection professional to handle their compliance for them. The benefits of using an external professional is that they will handle all your data protection needs for you, provide professional advice and assist you in making needed organisational changes. The size of your business will determine the cost for you to reach compliance.
Why is data protection important to a business?
Data protection though is important to every business. The aim of the GDPR is to protect the right of data subjects to decide how they want their data to be processed. The regulation sets outlaws in place to do this. Noncompliance with the GDPR can put your business at risk of hefty fines! Not only will this affect your business financially, but also your reputation which could be more damaging.
Fines can reach as high as 20 million or 4% of annual global turnover, whichever is higher.
An example of a recent data breach on the airline company British Airways shows the severity of complying with data protection regulation. The airline was fined 22 million for a breach that affected 400,000 of its customers. Hackers got their hands on customers’ names, addresses, log-in details, payment card information etc.
According to the ICO the attack was preventable, but the airline had not put sufficient security measures in place to protect the data on their systems. They could have avoided this by investing in security solution and ensure they had strict data privacy policies and procedures in place.
What are the 7 principles of GDPR?
The GDPR sets out seven key principles that govern the processing of personal data. Compliance with these principles is essential for good data protection practices and protects your business from substantial fines from non-compliance. The 7 principles are:
- Processing lawfully, fairly and in a transparent manner – you must make it clear to your data subjects what data you are collecting from them, why it is being collected, how it’s going to be used. A great way to demonstrate compliance with this principle is by the use of a Privacy Notice.
- Collected for specific, explicit, and legitimate purposes – data can only be processed for the original purpose set out when it was collected. Any further processing for a different purpose would require notification and consent of the data subject. For example, you may process an individual name and email address for the purpose of sending them a confirmation email for a booking. You can only use the data for this purpose unless you get consent from the data subject to use the data for another purpose (e.g. sending marketing communications)
- Adequate, relevant and limited to what is necessary – Collecting lots of data about an individual that is not required for the service you provide can present more risks to your organisation Minimise data you collect to only what is necessary for the service you are offering.
- Accurate and kept up to date – you must regularly review the information you hold about individuals and delete or amend inaccurate information accordingly. This streamlining of information will help improve compliance and ensure business databases are accurate and up to date.
- Data is limited to what is necessary – when you no longer require the data collected for the purpose for which it was collected, it should be deleted or destroyed (unless there are other lawful grounds to retain it, such as exceptions for archiving, research or statistical purposes)
- Integrity and Confidentiality – you must take appropriate steps to ensure the security of the data you hold by putting appropriate measures in place. There are risks to the security of data in every organisation such as unauthorised use, accidental loss or damage, and external threats such as theft. The security measures you choose to put in place must sufficiently protect the personal data you process from the associated risks above.
- Your accountability – you must be able to demonstrate compliance with the principles outlined. To do this you should evaluate your current practices and consider where changes should be made to comply with the above principles.
What are business privacy laws?
There are a few notable data privacy laws that may apply to your business, this will depend on where your business is based and where your clients/customers are based. The most well knows law is the GDPR, this is the EU law for Data Protection. Due to Brexit, the UK now have their own law called the UK GDPR, this law closely mirrors the GDPR with some slight changes for it to work more effectively in a UK context, and the Data protection Act 2018.
The channel islands have their own data protection laws also, Jersey has the Data Protection (Jersey) law 2018 and Guernsey has the Data Protection (Bailiwick of Guernsey) Law 2017.
How does the Data Protection Act affect businesses?
The UK Data protection act 2018 was developed as an update the DPA 1998. As technology has changed and developed over the years, an update was needed to this act to ensure personal data is being used properly and legally in our digital age. Whilst the GDPR affects businesses registered within the EU and any companies handling personal data collected within Europe, the DPA is an equivalent piece of legislation that captures many of the same rights and obligations of the GDPR within the UK.
Data protection legislation applies to any information an organisation keeps on staff, customers, or account holders and will likely inform many elements of business operations, from recruitment, managing staff records, marketing, or even the collection of CCTV footage.
What are the legal requirements for storing business information?
A personal data breach can be broadly defined as a security incident that has affected the confidentiality, integrity, or availability of personal data. In short, there will be a personal data breach whenever any personal data is accidentally lost, destroyed, corrupted, or disclosed; if someone accesses the data or passes it on without proper authorisation; or if the data is made unavailable and this unavailability has a significant negative effect on individuals.
When stored personal data of individuals it is important to consider the security measures to reduce the possibility of a breach outlines above. Measures such as password protection, restricted access to authorised individuals, encryption when sharing data etc. For paper-based documents protection such as locked cabinets and limiting paper-based documents that contain personal data etc.
When collecting personal data you must set retention periods on the data. Retention periods are a set of times the data is kept before it is deleted or disposed of. You must not collect and process data for longer than you needed and you must only process it for the purpose outlined when it was collected. setting a retention period ensures you are not keeping data longer than you should. Retention periods vary, and legal requirements for keeping data need to be considered.
What is the impact of GDPR?
Data protection laws and regulations impact how businesses operate and handle data they collect from customers and employees. Compliance with the regulations it important to ensure the protection of your customer’s data and to avoid possible fines.
Non-compliance can negatively affect businesses in many ways. The GDPR has severe implications for non-compliance – the consequences could be heavy fines and a damaged reputation. GDPR allows for massive penalties of up €20m or, if higher, as much as four percent of global revenue.
How does GDPR affect online businesses?
If your website collected personal data or tracks individuals online then GDPR will have an impact on your website. All websites must give the user the right to know what data is being collected about them when they visit your sigh, why the data is processed, and how it is processed.
An important area to consider is Cookies. These are small text files that are loaded onto a user’s device when they visit your site. These cookies then remain on the user’s device to track their activity. These cookies collect the IP address of the user which is considered personal data.
When it comes to online cookies and Marketing consent mechanisms, pre-ticked boxes are commonly used. Is this method compliant with GDPR?
NO! Do not use pre-ticked boxes when getting cookie consent or consent for marketing communications. Why you may ask? Let us look at the law. The definition of consent in GDPR is outlined in Article 4 which states:
“Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subjects wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”
So the law states consent must be freely given and by a clear affirmative action. So pre-ticked boxes are assuming the consent of the user without affirmative action. This applies to both cookie consent and consent for marketing.