General Data Protection Regulation affects most organisations that collect, handle, and process data collected inside of the EU. Any organisation which has more than 250 employees, including businesses, governments, and public agencies, is expected to be GDPR compliant. These larger organisations often have the resources available to them to ensure that their practices are in line with the regulations. One of the many requirements an organisation must fulfil to be GDPR compliant is the nomination of a Data Protection Officer, who will oversee the security of any data that the organisation handles.
In contrast, Article 30 of the GDPR states that most small businesses-that is, one with fewer than 250 employees-are not covered by GDPR. Because of this article, many small businesses assume that the GDPR does not apply to them. However, it is important to note that some exceptions apply. It is critical that all small business owners familiarise themselves with GDPR to assess their status in relation to compliancy. Ignorance of the protocols is not deemed an acceptable excuse for a violation; hefty fines are levied against businesses of any size for a violation.
Businesses with fewer than 250 employees are required to comply with the GDPR if their data processing could affect the rights and freedoms of individuals, if they process personal data on a regular basis, or if they collect data which is covered by Article 9 of the GDPR, which includes sensitive data such as that relating to religious beliefs, sexual orientation, and political beliefs. Under GDPR, it is prohibited to process data covered by Article 9, unless a data subject gives their consent to use the data for a specific purpose. Some EU member states go one step further than GDPR, and prohibit any organisation from using this data even if the subject gave their consent. Small businesses need to be very familiar with this particular stipulation of GDPR to ensure they do not accidentally violate the regulations.
Small businesses operate in a very different manner to larger organisations. As a result, GDPR will affect their business practices in a different way, particularly how small businesses network. Under GDPR, small business owners will no longer legally be able to simply add emails taken from business cards to their email contact lists unless they have specific consent to do so from the individual who gave them the card. The same rules apply for adding contacts on LinkedIn or other social networking platforms. It is not enough for small organisations to assume that being given an email address or business card is consent to be added to their networks.
Due to the small size of the organisations and limited resources, small often outsource the processing of their data to third parties. Under GDPR, these third parties are considered to be data processors, and therefore are subject to the same regulations. The data controller, or small business, is responsible for the conduct of their processors. Therefore, while drawing up their business contracts, small businesses must ensure that any organisation to which they outsource is clear regarding the requirements stipulated by GDPR, as it is the small business who will be held responsible if a violation occurs.
GDPR has many strict requirements regarding the safeguarding of data. For example, passwords are not considered a sufficient security measure on laptops or mobile phones which store data. Although these measures may be costly, small businesses which are covered by GDPR are expected to encrypt the devices to ensure that the data is protected.
Small businesses often rely on their online presence for a significant proportion of their customers. GDPR compliancy is a requirement for any organisation which collects data within the EU, regardless of where the organisation itself is based.
It is important to note that the GDPR applies to people within the EU, but not necessarily to EU citizens. A Danish person who has their data collected in South Africa is not covered by the GDPR, whereas a South African in Denmark would be. It is the location of the person that is important, not their nationality or citizenship.
Ensuring that Small Businesses are GDPR Compliant:
Small business owners must become familiar with GDPR and what constitutes as compliance with the regulations. A thorough awareness of the new regulations is essential in ensuring that the processes and procedures of the business are such that they meet with GDPR requirements.
All organisations covered by GDPR are required to know the details of what data is being held, where it is being held, why it is being held, and who is responsible for managing it. Performing a thorough audit on the data the organisation currently holds is critical.
Organisations must also ascertain whether appropriate consent has been obtained and whether the data should can still be legally processed or whether it should be deleted as the consent has expired. As small businesses as holding less data, this data checking may be easier to manage and there is less likelihood of issues occurring.
GDPR requires small businesses need to know what data is being held, where, and how, as well as who is responsible for managing it. Organisations must ensure that they have the capability to have processes and procedures in place to enable compliance with these requirements. They also need to fully document these processes and procedures so that they can prove they are acting in compliance.
Under GDPR, businesses will need to ensure that they have consent to process personal data, except if there are certain other valid legal reasons for them to process the data. Businesses must obtain the consent of the individual for each specific reason for processing. There can be no ambiguity over whether or not consent was obtained. Individuals must be made explicitly aware for what their data is being used, also need to take an unambiguous affirmative action to agree to its use.
This means that it’s no longer permitted for a business to use pre-checked tick boxes or silence on a telephone line to obtain consent. All consent gathered in such a fashion is not longer valid and small businesses must obtain the data again following GDPR protocols.
Article 9 of GDPR covers “high risk” data. Small businesses need to assess whether aspects of their data processing might also present a high risk. Every business needs to adjust for these risks by producing detailed plans and procedures to follow. If the business does not have the capability to properly adjust its practices, the business should seek advice from the relevant Data Processing Authority (DPA) before any processing of the data can be attempted.
Under the GDPR, data breaches need to be reported within 72 hours of discovery. Therefore, small businesses must have a contingency plan in place to ensure that if a data breach were to occur, they can meet this strict deadline and enact damage control procedures.
The appointment of a data protection officer (DPO) is only a requirement for large businesses under GDPR. Regardless, if it is within the means of a small organisation, they should consider doing so. Furthermore, if the business is processing sensitive information, as described in Article 9 of the GDPR, it may be a requirement for them to do so.
If recruiting a DPO is not possible, the business may want to consider using a third party expert or providing suitable training to someone who already works within the business. The DPO needs to have in-depth knowledge of the GDPR and knowledge of how to develop a data management process. The appointment of a DPO will help small organisation in navigating the complexities of GDPR. Although costly in the short term, it may help them avoid the costly penalties associated with breaching GDPR.
All employees in an organisation which handles data are required to be aware of GDPR and understand their responsibilities under it. Therefore, in addition to hiring a data protection expect, training courses should be run for employees to ensure they understand GDPR and are know about the implications to an organisation if they violate the regulations.