Compliance for SMEs: GDPR Part 3
While many enterprises are taking steps to become compliant with the European General Data Protection Regulation (GDPR), a recent YouGov study on GDPR revealed some concerning insights. Out of 2,000 businesses surveyed:
- 71% were unaware of the fines they could face under the new ruling.
- 38% of decision makers said that they were not aware of the new GDPR rules.
- 33% thought it was not an issue for the particular sector they work with.
- Finally, only 29% have started preparing for GDPR.
The impact of non-compliance for small to medium enterprises (SMEs) is a recurring concern voiced throughout the conversations, articles, and general noise about GDPR. It is these organisations who may lack the resources, guidance or even awareness of the impending regulation, and it’s also these businesses who could stand to suffer more heavily through failure to comply. With unprecedented fines of up to 4% of annual income, or €20m (whichever is greater), these penalties could do lasting, or fatal damage to any company’s bottom line. Many large organisations or corporations have contracted GDPR teams, or specialised consultants, but for many SMEs this may not be affordable or achievable – but that doesn’t mean that GDPR planning and strategy can be ignored, or put on the back burner.
GDPR is one of the most important pieces of IT legislation in EU history, and it is designed to deliver better information security for everyone, and improved international business through unified legislation.
When approaching a big project like this, sometimes it’s helpful to start with the basics.
- Creating a timeline is an excellent way to plan your steps toward compliance.
- It is also helpful to adopt a risk based approach, which can help you prioritise your tasks.
- This is the time to analyse the personal data you already have – as well as how it stored and used. You won’t know how your practices will change, unless you’re clear on what processes you’re following now, and precisely what will be required going forward.
The Information Commissioner’s Office (ICO) is the official source of all GDPR information. They have created a number of quick guides specifically for SMEs, and even offer advisory visits to help your organisation. If you have already made some changes in order to follow compliance, the ICO has also created a detailed checklist for you to follow.
Whether you’re a huge multi-national or a much smaller set up, each point on the list below is relatively simple and fully achievable. By following these points, you can begin to further protect the rights of the people giving you their data, and head on your way to GDPR compliance.
Using plain language, tell your customers who you are when requesting data. Explain why you’re processing their data, how long it will be stored for, and who will receive it.
Get your customers’ clear consent to process the data. This could include something like checking age limits, and getting parental consent if your organisation is using social media data from a younger audience.
- Access and portability
Let people access their data, and make it available to other companies (if requested by the customer).
Inform people of serious data breaches as soon as possible. This point is a crucial part of GDPR compliance, and failure to do so, has serious consequences.
- Erase Data
Much like the famous Google case, the ‘right to be forgotten’ is now applicable. Personal data should be erased if asked, but only if it doesn’t compromise freedom of expression or the ability to research.
If you use profiling to process applications for legally binding agreements, you must inform your customers. Make sure you have a person (not a machine!) checking the process if the application is rejected, and offer the applicant the right to contest the decision.
Allow people to opt out of marketing that uses their data.
- Safeguard Sensitive Data
For personal information on health, race, sexual orientation, religion and political beliefs, use extra safeguards.
- Transferring Data Outside of the EU
Make sure to prepare appropriate legal arrangements when transferring data to countries that have not been approved by EU authorities.
- Data Protection by Design
From development to release, ensure that you build data protection safeguards into your future products and services.
- Processing Data for Others
If you process data for another company, make sure the contract is watertight, and list out the responsibilities of each party.
- Get a Data Protection Officer, if you need one.
You don’t always have to have a Data Protection Officer, but there are a few factors that decide whether you need one. The type of and amount of data you collect is important, as well as if data processing is your main business. There isn’t single rule specifically for SMEs when it comes to appointing a Data Protection Officer, however the role is mandatory for all organisations (regardless of size) if:
- You are a public authority.
- Your carry out large systematic monitoring of individuals.
- You carry out large scale data processing with special category data (sensitive or personal data), and data relating to criminal convictions and offences.
- Record Keeping
SMEs aren’t required to keep records of processing activities unless the processing is regular, likely to result in risk to the rights and freedoms of data subjects, or deals with sensitive data or criminal records.
What should the records contain?
- The name and contact details of the business.
- The reasons for data processing.
- Description of categories of data subjects and personal data.
- Categories of organisations receiving the data.
- Transferral of data to another country or organisation.
- Time limit for removal of data, if possible.
- Description of security measures used when processing if possible.
- Data Protection
If you process and keep information about your customers, employees or suppliers, there is a legal obligation to protect this information, and you must:
- Only collect information that you need and keep it secure.
- Make sure that the information is relevant and up to date.
- Only keep as much as you need for as long as you need it.
- Allow the subject of the information to see it when they wish.
- Impact Assessments
A data protection impact assessment (DPIA) is mandatory for organisations that process “high risk” data. If an organisation processes data to the extent that the processing can interfere with the rights and freedoms of a data subject, a DPIA is necessary. But impact assessments are useful for all organisations, as it allows them to find and fix problems at the early stages of a project. It’s highly recommended that you carry out impact assessments to identify, mitigate, and minimise risk.
Where Do I Begin?
GDPR doesn’t mean fighting through more red tape, but instilling confidence in your customers as they navigate the digital world.
Remember, even if GDPR compliance feels difficult and time-consuming, once you get there, it will become a case of maintaining the correct practice and processes you have adopted. You must be compliant by the 25th May 2018 to avoid the risk of fines, sanctions and bans. Our advice? Use the wide range of resources available to support you, do your research, and if you haven’t started yet – now’s the time!
Cogmotive is the leading global provider of enterprise level reporting and analytics applications for Office 365. Find out more now.