The 2019 GDPR Small Business Survey found that 44 per cent of small businesses don't always obtain proper consent before using personal data and 22 per cent don't use technical measures to protect data.
Navigating the GDPR can be confusing, but especially so for small businesses and even more if you don't operate in the European Union. Does the law apply to your company? If so, what steps do you need to take to comply?
Answering the five questions below will help small business owners better understand the GDPR.
The penalties for GDPR violations can be astronomical.
Knowing the GDPR's requirements and ensuring that your company’s policies and practices are consistent with the regulation reduces your risk. Use our free checklist to get started.
1. Are You Exempt from the GDPR?
The first (and most important) step is to determine if your organization is subject to the GDPR. Ask yourself:
- Does your business process data based on activities that take place in the EU, whether or not the processing actually takes place in the EU?
- Do you offer paid or unpaid goods and services to EU customers?
- Do you monitor the behavior of individuals in the EU?
Under the GDPR, personal data includes almost everything, down to a subject's email address, phone number and even their name. If you hold this information about even one employee who resides in an EU country, you process EU personal data.
Even if you answered yes to all of these questions, you still may not have to comply. If your company has fewer than 250 employees you are exempt from the record-keeping obligations of the GDPR, unless:
- Your processing of EU user data is "not occasional"
- Your company's data processing puts users' rights and freedoms at risk
- You process "special categories" of data as laid out in Article 9(e.g. race, sexual orientation, health, political opinions, religious beliefs, etc.)
Under the GDPR, "not occasional" isn't clearly defined. So how do you know if you need to maintain processing records? Because of the law's ambiguity, it's better to be safe than sorry.
"It would appear that Smaller Organisations would need to create a comprehensive record of all processing so that they can decide, and subsequently justify to the ICO, what processing they do not need to record," say Gemma Briance and Geoffrey Sturgess, solicitors at Warner Goodman. "In other words they will need to produce a record in order to demonstrate that they have correctly decided what does and does not have to be recorded!"
RELATED: GDPR Compliance: Does It Apply to Me?
2. Do You Need a Data Protection Officer (DPO)?
Under the GDPR, some organizations may need to appoint an expert in data processing called a Data Protection Officer (DPO).
A DPO assesses, creates and monitors the company's data protection strategy, ensuring that it complies with the GDPR.DPO duties can be carried out by a current employee, as long as their other role doesn't present a conflict of interest.
Per Article 37 of the GDPR, you'll need to appoint a DPO if you:
- Are a public authority that processes GDPR-protected data,
- Primarily conduct data "processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale" OR
- Process mostly special categories of data (Article 9) or data concerning criminal convictions or offences (Article 10)
3. Can Your Organization Handle Compliance In-House?
Handling GDPR compliance in-house might save you money, but it isn't always the best option. While the duties of a DPO can be carried out by a current employee, going that route could overload them. They also might not be familiar enough with the GDPR to confidently and accurately guide your compliance approach.
If your company can afford it, consider hiring a contractor as DPO instead, at least until you train other employees and redistribute their workloads. A contractor is an expert in GDPR who will help you understand all of its regulations and guide you through the steps you need to take to be compliant.
Whether you decide to outsource your compliance or not, consult with a lawyer about if and how the GDPR applies to your company. Choose someone with knowledge of, and experience in, GDPR for small businesses. They can help you with compliance questions and concerns unique to smaller organizations.
RELATED: GDPR Compliance: 23 Things You Need to Do Right Now
4. Are You a Data Controller, Processor or Both?
Compliance with the GDPR for small businesses differs depending on their roles. A data controller
A data controller "controls the overall purpose and means, or the ‘why’ and ‘how’ the data is to be used. The data controller can also process the data by its own means." They are the main entity in charge of protecting the data's privacy as well as access to it.
A data processor processes data on behalf of the data controller. They do "not control the data and cannot change the purpose or use of the particular set of data. The data processor processes the data only according to the instructions and purpose given by the data controller."
Controllers can have multiple processors and processors can have sub-processors. Your company may be both a controller and a processor. It's important to understand which role your business fills, as each has unique responsibilities under the GDPR.
Regardless of role, your company may also need to appoint an EU representative to "act as a middleman between authorities and data subjects on the one hand and the processor and controller outside the EU on the other hand."
You'll need to appoint a representative in an EU member state if you:
- "offer goods and services to individuals in the EU (e.g. providing a website in an EU language, offering payments in EUR) or
- monitor their behaviour (e.g. cookie profiling)."
5. Are Your Vendors Compliant?
Ensuring your company complies with the GDPR isn't the only step you need to take for compliance. If you work with a vendor, supplier or other business partner who fails to comply, you could be held accountable and penalized, too.
Review agreements you hold with third parties, especially those that process data on your behalf. If they don't take GDPR compliance measures, refuse to work with them until they do. Maintaining a business relationship isn't worth the fines and other penalties you could face for non-compliance.
Need a refresher on GDPR compliance? Watch our free webinar to ensure your organization is following the regulation.