The GDPR is set to impact every area of big business – and smaller enterprises can’t ignore how the changes in EU law will affect them as well.
The new regulation (General Data Protection Regulation, in full) has overhauled approaches to data protection across Europe, and by default, anyone who does business with Europeans.
At first glance it appears to focus on huge data-orientated corporations – the likes of Google Facebook and Amazon just to name a few. But while the law is written with these behemoths in mind – there is no overestimating the impact on smaller businesses. The regulation specifically says it applies to any enterprises include sole traders – defined ‘any legal entity engaged in economic activity’.
But for many SMEs, the new rules seem to hold up a very high standard of governance, accountability and security which seems (initially) way too costly to imagine compliance will ever be viable. So here we are running through some of the main points smaller employers should consider on their road to getting the GDPR badge of honour – and to show that data protection isn’t as scary as it first seems.
1. Are you actually processing any personal data?
First of all, you need to work out if you are a data controller, processor, or neither. If you hold any data in a searchable format (that’s databases and file cabinets) then you’re processing data. If you’re in a position to make a decision about what happens to that data, you’re a controller. This has to be searchable files used for official purposes, remember – so scraps of paper, your personal address book, business cards etc., don’t count. But if you put all those business cards into an index and yep, you’ve turned that into data. Now you need to look after it, send out privacy notices, get consent if you want to send out marketing mailers, perform a privacy impact assessment on how robust your desk is and consider getting a finger-print lock for your top drawer.
2. Start with the principles and work outwards
The GDPR sets a standard that any organisation processing personal data should follow. It’s a weighty regulation (the Data Protection Act was 30 pages, this is 88) but if you boil it down all the measures, requirements, definitions and limitations come down to a few simple principle. These are:
- Lawful, fair and transparent processing: This means, in a general sense, if you aren’t using anyone’s data for something they wouldn’t be happy with, and you’re giving them control of their own information, you’ve got it covered.
- Purpose Limitation: Are you collecting data for specific, legitimate reasons, compatible with what your data subject would expect?
- Data Minimisation: Are you only collecting what you need for that purpose and no more? If you were to receive a Data audit would you be able to justify holding every piece of information on your systems? Is it relevant to your operations, and do you have consent for sensitive data?
- Accuracy: Is the data you hold and process collected properly and do you keep it up to date?
- Storage Limitation: Are you reducing down your databases as and when your data is no longer needed? Have you got the systems in place to anonymise or pseudonymise your files if you need to keep specific data for statistical purposes or historic records?
- Integrity and Confidentiality: Is you security adequate to keep the data safe? Are you in touch with the latest developments in cyber security? Do you know who in your organisation has access to what data?
- Accountability: Are you able to demonstrate how you work towards compliance in your policies, your contracts with partners and suppliers, privacy impact assessments and processing logs?
And with the principles firmly in mind,
3. The GDPR expects the measures you take to be thorough, but proportionate
There is a lot to consider in terms of compliance even if you’re not a systematic processor of people’s data. You’re still likely to be processing employee details and be involved in some kind of direct marketing. You still need to be ready for a potential data breach and know how to handle a subject access request properly. You still need to have policies in place to demonstrate how data protection is being embedded in your day-to-day activities. Any approach to complying with GDPR should start with a roadmap of what is required in your unique circumstances – taking a close look at your data flows, possible risks and where your current policies are either adequate or need adjusting.
4. You don’t necessarily have to hire a Data Protection Officer
Large enterprises who process a large amount of data for their core business or systematically monitor their users need to have someone reporting to their board on data protection – usually called a Chief Data Officer.
Some small organisations will be surprised that they are also required to have a Data Protection Officer to hand. Any public body or an organisation performing a public function is included, so that means local-authority-funded schools, housing associations and council service providers.
There are some other specific circumstances where you may also need to engage a DPO, but there is no obligation to hire one – a DPO can be a consultant and in fact probably should be independent from your payroll to ensure they can do their job properly.
However, even if you don’t need a full-time DPO you need to be able to name someone in the company, usually a senior manager, as your data champion – to handle Subject Access Requests, perform Privacy Impact Assessments when necessary, and sometimes even report to the ICO, such as if you have a major breach.
5. Stop processing any sensitive data
The GDPR imposes a highly level of security on ‘special categories’ of personal information – like ethnicity, sexual orientation, biometric data – information which is particularly personal or could pose an especially high risk of harm in the event of a breach. Holding any of this data raises the bar for what you have to do in terms of keeping records, encrypting and securing data flows – it jumps up the cost of compliance substantially, so avoid processing any where possible. (Also, this doesn’t mean you have to stop giving out equal opportunities forms – it just means you have to make absolutely sure there are no links between that anonymous data and the people who fill them out.
6. Avoid data that requires consent
Any data collecting activity you do which requires consent places more demands on your business further down the line. Getting consent means keeping records of which data subjects consented, what they consented to, for how long, and at some point you may have to process applications to withdraw consent. There are other legal bases for collecting data that don’t require consent, so you should be looking to see if your activities fall under these.
7. Don’t tolerate compliance – embrace it
Data Protection works best when everyone in an organisation is aware of their professional responsibilities and truly takes the rights of individuals into consideration. Taking the route of minimal compliance may leave holes in your business, while adopting the right attitude will strengthen your relationships with clients and customers, and protect you from considerable risk.