GDPR – Compliance for Small Businesses
GDPR (General Data Protection Regulation) was a proposal by the European Commission to strengthen and even unify data protection for all individuals within the EU. At the same time, GDPR is expected to address the export of all personal data that is outside the European Union. In December 2015, an agreement had been made to finalize GDPR by May 2018.
In this article, you will have some insight on some of the GDPR requirements that you must adhere to and comply with now as a small business.
As a small businessman, you may think that GDPR does not apply to you, but this is just one of the many myths that surround these small businesses with less than 250 employees. GDPR has included an exemption for the small businesses with less than 250 employees on recordkeeping. This exemption, however, doesn’t exclude these small businesses from any of the other aspects, and for that reason, they still must comply with the GDPR.
As Article 30 of the GDPR explains that the new regulations will not apply to smaller businesses, you need to be aware that this may not always be the case. As a small business, you always have to be updated with the GDPR, and also look into what it means for your business. If you fail to do this as a small business owner, you may end up facing sanctions that you didn’t expect. These sanctions can be costly fines, which definitely wouldn’t be good news for a small business. The main purpose of the GDPR proposal of the EU was to give the citizens of EU back control of all their data. What GDPR will do is harmonize all of the previous and also any other data protection protocols throughout the European Union.
Brexit – Will the U.K still have to comply with GDPR?
The answer in a nutshell is YES! Regardless of whether the U.K will be in or out of the EU, businesses in the U.K will still have to comply with GDPR during this transition to avoid any infringements. International businesses that trade/offer goods or services to EU citizens as customers will have to comply with GDPR to also avoid any infringements.
The UK have introduced the data protection bill into parliament. The bill aims to implement the GDPR into UK law after brexit. The bill should be passed in parliament before 25th May 2018.
Recordkeeping obligations that small businesses have under GDPR
It is essential that all businesses, big or small, always need to maintain records of all their processing activities that they are responsible for or the activities that they undertake for those responsible.
The GDPR compliance requirements
You should expect the EU compliance regulation to have a reaching impact for businesses all over the world, including your small business. The following may apply to you and your business, supposing your business suffers any form of a data breach:
- Your business needs to notify your local data protection authority as well as the potential owners of the records that were breached.
- Your small business may have to pay a fine of up to 4% of the global turnover or even €20 million.
There are instances, however, where your business may not be required to notify the affected owners of the breached records. For example, if your small business is breached, but you can render the data that is breached unintelligible through encryption. In such a case you may not have to notify the owners of the breached data, and the chances of your business being fined would also be reduced significantly.
As a small business, you may need to apply different encryption methods for cloud infrastructure environments and on-premises, including; servers (database, and application), storage (storage area network encryption, and network-attached storage), media (disk encryption), and networks (high-speed network encryption).
Here are some security requirements that have been interspersed in the law’s text that you can take into account as a small business regarding GDPR.
As a small business, it should be your responsibility to ensure that you protect your data. GDPR expects you to ensure that only the authorized users can have access, and also process these data and only when appropriate. Articles 5,25, and 32 cover all the control requirements for data control.
As per the GDPR requirements, all businesses need to ensure that:
- They minimize their subject’s identity exposure.
- Process data that for authorized purposes only.
- Ensure data integrity and accuracy.
- Implement all the data security measures.
As a small business, you need to ensure you encrypt all your data. Encryption will keep all of your data in an unreadable state, and unless you provide the appropriate key, your data will be safe and secure. GDPR recommends this simple control method as it can restrict all unauthorised data processing. Encryption also restricts the time that the users are identified using the data. Encryption has also enabled the prevention of any unauthorized data manipulation, thus limiting any data access to authorized users only. As a small business organization, if you enforce encryption and access control procedures, then you can easily demonstrate your data integrity.
Another line of defense that you can adopt in your business in any scenario is the multi-factor authentication. Your business can manage to track its resource’s access and be able to monitor internal risks by assigning credentials to your users. Unauthorised users also find it difficult to access any sensitive information when a business adopts the use of the multi-factor authentication. With multi-factor authentication, your business can control all of its data.
Security obligations for GDPR are covered in the following GDPR articles; 6, 25, 28, and 32. All businesses, including small businesses, must implement the following requirements regarding data security:
- Encryption or pseudonymi
- All the security measures that will respond to the business’ risk assessment.
- Data protection by default and design.
- Safeguards if your business intends to keep the data available for additional processing.
Your business will always need to conduct risk assessments for your data and also adopt the appropriate measures that mitigate any risks that you may find. As up to now, you may realize just how difficult it can be for your business to identify all the possible risks to their data. Due to this possible breach, it is vital that you secure your data and secure the breach. With encryption, however, you will realize that your data will be protected whether there is a breach or not. Your business can use multi-factor authentication to access any network resources that are used in processing data. Small businesses can also safeguard data against any unauthorised processing by assigning, and also changing authentication settings so that they can restrict any additional processing right after the first instance has been completed.
Right to access
Article 15 is another data subject right of the GDPR that gives the users the right to access their personal information and data about how your business is accessing their personal data. As a business and a data controller, you are required to provide, upon the request of your customer, an overview of all the categories of data that your business is processing. This requirement is stated in Article 15 (1) (b). You are also obliged, as a data controller, to highlight to the customer with whom their data is shared, and also how you acquired the data.
Right to erasure
Even after you have made your data collection successfully as a small business, you need to understand that individuals will still have a claim to the data collected up to a certain point. The user can exercise some level of control over the data collected. Articles 17 and 28 covers the right of erasure requirement of businesses and GDPR requires that all organizations completely erase all the data collected from the repositories when:
- An agreement or service comes to an end.
- Another partner business requests data deletion
- The data subject denies their consent
As a business, you must recall all the data that your user has ever shared with you, and erase all of it completely whenever any one of your users decides to revoke the consent to their data. In most cases, you may come to realize just how taxing this can be, as data, once uploaded to the disk, doesn’t fully get erased even if you try to delete it. To fully comply with the user’s demands to erase their data, most businesses usually encrypt the user’s data, and whenever they need to delete this data, then all the business has to do it to delete the encryption key. This method of data deletion has so far proven to render any data completely and permanently unreadable.
Due diligence and risk mitigation
As a business, you must ensure you assess all the risks that threaten your privacy and security. Upon doing this, you need to ensure you take all the appropriate and legal channels to keep your privacy safe. Articles 2, 24, and 28 have outlined these requirements for GDPR.
For you to manage mitigating risks and also perform due diligence on your data, you and your business need to take these measures into account:
- Ensure you have full data control
- Conduct regular full risk assessment
- Be active in helping your partners and also customers comply
- Ensure you implement the measures that will ensure and also demonstrate compliance
As a small business, if you ever decide to partner with other businesses, or even third-party services, you do not relinquish your responsibility to any of the data’s security. On the other hand, you will be obligated to work together with these businesses and third-party services that you have partnered with to ensure you maintain the security of your data and also mitigate risks. If in any case, you were the principal business of the data, then you will still need to exercise control of the data even if it is out of the business’s sight.
Any business, small or big, must notify its customers and also their supervisory authority of any security breach that can make the business’s rights as well as the privacy of any data subject. Articles 33, and 34 of the GDPR outlines all the steps that must be undertaken whenever there is a security breach of any sensitive data in your business. Some of these requirements include:
- Notifying your supervisory authority within a 72 hour period
- Describing the consequences of the breached data
- Communicate the breach straight to the data subjects
It is your duty as a business to notify your customers and the ICO of any data breach that has exposed any unprotected data. It is, however, possible that you can avoid these breach notifications if you always encrypt your data and also follow all the best key management practices. As a small business, you may not want to deal with these types of requirements whenever your data is breached. Breach notifications are only a requirement if the rights of any of the data subjects are at risk.
Another requirement of the new GDPR is that a customer holds the right to share and transfer any of the personal data collected by one data controller and transfer it to another electronic processing system. Article 20 of the GDPR explains this right. As a business, and also a data controller, you do not have the right to deny this request by the customer except for the data that has been anonymized sufficiently. However, data that is being provided by the subject and data that is being observed, like on behavior, are included. It is your obligations, as a data controller, to ensure you provide the data in a structured as well as commonly used standard electronic format.
This requirement is found in Article 25 of the GDPR. It is essential that you ensure your privacy settings are always at an all-time high. The business also needs to ensure that all the technical as well as the procedural measures are taken care of by the business. This is vital as it is the only way you can be able to do all the data processing and ensure that it complies with the GDPR requirements. It is your duty as a data controller to implement mechanisms that will ensure that all the personal data isn’t processed unless you need to, and only for every specific purpose. To ensure that you adhere to this requirement, you can look into encryption and decryption protocols that your business does and ensure that they are carried out locally, and not remotely. This is a vital security measure as it ensures that the data owner remains with both the key and the data if you intend to achieve any privacy.
We can help
Just Add Tech can help you in preparing everything that you need in order to be GDPR compliant by 25th May 2018. Give us a call on 01202 800629 or you can email firstname.lastname@example.org for any help or advice that you may need.