Small businesses: GDPR affects you, too
Don’t think that just because you’re a small business, they won’t see you.
The EU’s General Data Protection Regulation (GDPR) comes into force on 25th May, enforcing a strict set of new rules concerning privacy and data security and imposing strict penalties on violators. GDPR affects anyone holding data on EU citizens, including those companies not in Europe. A survey carried out in December 2017 of over 1000 companies found that a lot of them have still have no clue about this yet. You may forgive the overseas businesses for not understanding that they’ll also be affected, but the Brits were the worst. ONLY 39% of UK companies realised that they were subject to the regulation.
The nitty gritty
So what does GDPR mean in practice, and what must small businesses do to get ahead of it? GDPR is a sprawling document, hundreds of pages long, but it changes requirements or creates new ones in several key areas.
One of the big concepts that GDPR changes is consent. Companies already need consent to process someone’s data, but until now they only had to ask once, and that covered all uses. Not anymore. GDPR’s ‘unbundled’ consent means getting separate permission to use customer data for different things, such as marketing, maintenance, fraud checks and support. Documentation is also stricter: businesses must record when that consent was given. Neither can service providers assume consent by 'pre-ticking' boxes and forcing people to untick them. Instead, they must make consent clear in legal contracts and customers must opt-in rather than out.
Right to erasure
Any consent a customer gives isn’t automatically forever, either. Another key change under GDPR is the right to erasure (sometimes called the ‘right to be forgotten’). It lets individuals withdraw consent, meaning that a company would have to delete any information it held about them.
On a related note, customers might just ask for a copy of their data rather than deleting it. Upon request, the ‘data controllers’ must provide a machine-readable copy of the customers data so that they can send it to another provider should they chose. GDPR also asks organisations to provide extensive supporting material as part of this process, including the categories of data that they are handling, along with the reasons for processing it. All of this must happen within a month of the request. Portability and erasure could be tricky issues in a small business for both technical and organisational reasons. Firstly, they may not have the same kind of formalised process for handing data that some larger companies do. If your customer data is scattered across a selection of network folders, databases and individual PCs, you’ll have a tough time retrieving it for one customer. Now imagine if you get ten requests in a week.
The other issue is that GDPR’s third party requirement may be more likely to bite SMBs. A small company without a large, well-funded IT department is likely to rely more on third party data handling services than a larger company that can build things in-house. If services like cloud-based backup, third party order processing, outsourced customer support or SaaS application providers are storing and processing your customers’ data, that makes them ‘data processors’ in GDPR jargon. A request to delete or reproduce customer data affects data processors’ systems, too. Small businesses will need to clarify their contracts with service providers, along with the processes for handling customer requests.
Data governance obligations
Organisations must take technical and organisational measures to show that they have made their data processing compliant with the concept of privacy by design. GDPR specifically mentions encryption and pseudoanoymisation – the process of separating personally-identifiable information from other data attributes to avoid security risks.
If a small business has been winging it without a grown-up IT department, they’ll need to source this technical expertise from somewhere to tackle these GDPR requirements.
Personnel and procedural changes
While these requirements all impose a hefty technology burden on companies, there are other measures that have a greater effect on organisational structure. The GDPR says that organisations must use privacy impact assessments for data processing activities that the regulation defines as high-risk, including monitoring activities. They must introduce audits and policy reviews to continually assess their privacy compliance.
This means that GDPR is not a one-time, fire-and-forget project. Even if GDPR doesn’t mandate an official data protection officer (DPO) at your small business, you still need someone at the steering wheel who can be responsible for pushing all these security policies and procedures through.
Data breach notification
Finally, data breach notification becomes mandatory under the GDPR. Small businesses shouldn’t assume this doesn’t apply to them because they think that they’re unlikely to be hit. Firstly, all companies are fair game. Secondly, regulators will want to see a procedure for notifying local regulators (and, in some cases, customers) of a compromise.
Think that Brexit will rescue UK small businesses from all this hassle? Not so fast. The UK will fall under GDPR long before it leaves the EU, and in any case the UK needs to demonstrate equivalent rules if the EU is to exchange data with it.
Gearing up for GDPR
So, there’s a big burden for small businesses to carry – probably far more than they can cope with using the in-house resources available. Where should they begin?
The Information Commissioner’s Office (ICO) has created a helpful guide that lists the various steps that organisations should go through to ensure that they are ready for 25th May. Here are some of the important steps, aggregated and condensed for small business readers:
Assess data holdings
Audit the data you already hold and those held by third parties. This is a crucial step, so bring in a consultant to help you with this if you don’t already have the internal resource for this.
Review privacy communication, legal frameworks, and approach to consent
Assess how you communicate privacy information to data subjects, and document the legal basis what you’re doing with their personal data. You will need to explain this legal justification to individuals whose data you handle. Evaluate what you obtain consent for, and how you get it. Make any changes to systems and processes necessary to follow the new rules.
Review ability to subject access requests
Check existing procedures (and the technology that supports them) to see how you will cover individuals’ new rights under GDPR such as the right to erasure and the ability to port data. Prepare yourself to handle their requests for data access. Consider providing online options to avoid this becoming a manual drain on your time.
Prepare for data breaches
Ensure that you have the procedures in place to detect and investigate a data breach, and also to report it.
Review system privacy and introduce impact assessments
Examine existing systems that process high-risk data, and ensure that their design is based on sound privacy principles. Conduct privacy impact assessments for these systems to ensure that they support the requirements laid out in the GDPR.
Consider a data protection officer
Many organisations will need to appoint a data protection officer to oversee ongoing privacy arrangements.
Small business are generally resource constrained and have less margin for error than large enterprises, who often have a bigger cashflow buffer to tackle wide-reaching challenges like GDPR. Getting external help would be a good idea for a smaller firm wanting to toe the line. With less than 4 months to go, that isn’t a phone call you should put off any more.
We can help your business acheive compliance with one, or a combination of IT solutions.