Irma D. Rutherford If you are a small-business owner or legal expert in a startup, GDPR compliance is a challenge if you don’t know the basics of the law. No worries. We’ve got you covered! This beginner’s guide for small business GDPR compliance includes tips, best practices, and all you need to start today.
The General Data Protection Regulation, created by the European Union, is a global privacy regulation that governs how businesses handle and protect personal information. This law, which took effect on 25 May 2018, is a legally binding act that aims to protect privacy by giving individuals control over how their Personally Identifiable Information is collected, used, and shared.
GDPR for SMALL BUSINESSES
There is no exemption despite the size of the EU GDPR. Businesses that handle personal data (PII), or Personally Identifiable Information, are generally subject to GDPR rules and regulations. The GDPR prohibits small businesses from collecting contact information about an individual from their business card, LinkedIn profile, or other general interactions without the consent of that person. Even if a small business has fewer than 250 employees, it still must be GDPR compliant and designate an officer to protect any personal data it collects.
There may be some exemptions to the GDPR for small businesses based in the United States. Small companies, for example, that process personal data from EU residents on a limited basis may not be required to keep additional records. Small companies may also be exempted from extra record-keeping responsibilities if they rarely sell goods or provide services to EU consumers.
BASIC TRADING TERMINOLOGY
Let’s first familiarize ourselves with some GDPR basics.
A Data Subject refers to any individual whose data is collected, stored, or processed by a controller or processor.
A Data Controller is the entity that determines the purpose and legal basis of processing personal data.
The Data Processor who works with the Data Controller is the person responsible for the processing of personal data.
Processing includes any automated or manually performed operation or set operations on personal data. This may involve the collection, recording, and structuring of data, storage, modification, alteration or adaptation, and retrieval.
Data personal is any data that can be used to identify an individual, whether it’s their professional or private life. This includes a person’s name, email, pictures, and bank statements.
The consent refers to “any freely given, specific and informed indication” by the data subject that they agree to the processing of their data. A simple statement or an affirmative action can express the consent of the data subject.
GDPR COMPLIANCE RESTRICTIONS FOR SMALL BUSINESSES
Collection and Processing- The GDPR states that personal data collection must be accurate, legal, and secure. Article 6 of the GDPR requires that data controllers, including businesses with fewer than 250 employees and large corporations, establish a legal basis for the processing of personal data. This could be the consent given by the data subject or a processing related to a contract.
Consent As outlined in Article 7, businesses must demonstrate that data subjects have freely consented to the processing, collection, storage, and use of their data.
SecurityArticles 23-30 and 32 require that companies protect the privacy and data of consumers against loss or disclosure by implementing appropriate data protection measures.
Data Breach Notice -In case of a breach, controllers must notify supervisory authorities within 72 hours. (Article 34 – 35). This notification must contain specific details about the breach, including its nature and an approximate number of affected data subjects.
Data Protection Assessments (DPIAs). Under Article 35 of the GDPR, companies are required to perform a DPIA to identify the risks associated with consumer data. This is especially true in situations where the processing of a large amount of “special categories” of data may pose a high risk to individuals’ rights and freedoms. Businesses should complete this assessment before they start processing any new personal data.
Data protection officer (DPO)-Article 37 requires companies to hire one or more DPOs in order to comply with GDPR. This person is responsible for educating and training employees about the GDPR requirements. They also act as a liaison between the company, the supervisory authority, and data subjects.
Develop an action plan to operationalize your privacy program
How to prepare small businesses for GDPR compliance begins with an evaluation of the privacy program in place. This will determine if regulatory compliance is needed. A readiness assessment is conducted to determine areas where GDPR compliance has already been achieved. This is followed by a data protection impact assessment (DPIA) to analyze and identify the potential impact on consumers and businesses of the risks. These assessments help not only to develop a plan of action for compliance but also to make sure that the company is protected against future high-risk data processing activities.
Establish a Processing Register
Map and inventory the data collected on consumers to better understand why and what it is. According to Article 30 of GDPR, controllers or their representatives are required to keep a record of all processing activities.
Businesses must also audit their service providers and data to determine what data they collect, how that data is processed, where it goes, and who uses it. This will allow small businesses to maintain a central and accurate source of truth for the processing of all personal data within their company. In addition to the data map, this inventory will help identify other companies and organizations that are processing or storing data for your company. It will also provide insights into how data is moved internally and externally within an organization.
Demonstrate Proper Consent
Small businesses are required to show authorities that they have obtained consent in a timely and appropriate manner. Companies must demonstrate, as we have already mentioned, that data subjects gave their permission voluntarily and knowingly through a specific, clear request. When creating consent forms, ensure that they are easily accessible and understandable. Consent requests should not be hidden in lengthy contracts or service terms but rather placed within an opt-in system that is easy to use and clearly differentiates the consent request. Data subjects are also able to withdraw their consent at any point, so the consent request form must inform consumers how to withdraw consent in the same manner as they initially gave it.
When creating a consent form, you should consider:
Checking that the consent process is GDPR compliant.
Update privacy policies and notices so that they clearly state consent.
Consider providing consumers with options for support, such as the medium or frequency of communication.
