GDPR for Small Businesses: How to Be Compliant in 2021
10 Steps to Compliance with GDPR for Small Businesses
General Data Protection Regulation (GDPR) was implemented on 25 May 2018. It was developed in order to protect the way EU residents’ personal data is processed. GDPR applies to all businesses established in the EU, as well as companies that are outside Europe that process a European resident’s personal data.
Since this set of rules came into effect, it had a massive impact on the way businesses all over the world process their customers’ personal data. Regulations differ depending on the size of your business and the industry you operate in, making this regulation even more difficult to understand and comply with GDPR for small businesses.
What is more, if your company is not GDPR compliant, you run a risk of getting fines or penalties. The fines for not complying with GDPR can be up to €20 Million, or 4% of an organisation’s yearly revenue, whichever amount is greater. Interestingly enough, on the day when the GDPR came into force, the French data regulator submitted a form to fine Google for €50 Million for the lack of consent on advertisements.
Therefore, it is important to ensure that complying with GDPR for small businesses is less difficult task. However, it does not mean that you have to read all the complicated legislative documents to make sure your company complies with those set of rules.
Market Inspector has created an infographic providing you with all the information needed about GDPR for small businesses, and offers 10 steps to ensure compliance.
What If I am Not GDPR Compliant?
Consequences of your SME not being GDPR compliant are the following:
- You get a warning.
- You get reprimanded.
- You get a suspension from data processing.
- You get a fine.
As mentioned before, fines can be up to €20 Million, or 4% of the company’s annual revenue, whichever amount is higher.
It is interesting to note that the biggest fines to this date are:
- €50 Million, Google (2018)
- €109 Million, Marriott (2019)
- €202 Million, British Airways (2019)
In order for your small business to be compliant and avoid a fine, you have to take into consideration multiple key points within the legal legislation, that can be very time consuming.
Take a look at the infographic and learn everything you need to know about GDPR for small businesses.
Types of Data: Personal & Sensitive Personal Data
It is important to understand which kind of personal data does your organisation process. The General Data Processing Regulation mentions two types of data: personal and sensitive personal data.
Personal data is any kind of data that can make a person identifiable. This can be a first name and surname, home or email address, a phone number, an ID number, or even an IP address.
Sensitive personal data, however, goes beyond the scope of merely personal data. Sensitive personal data pertains to information such as trade union membership data, racial or ethnic information about a person, political opinions, religious or philosophical beliefs, physical or mental health data, sexual information (regarding sexual life or sexual orientation), and genetic data.
When it comes to GDPR for small businesses, it is crucial to determine the difference between these two types of personal data, and be aware of what type of data is being processed within the business.
10 Steps to Be Compliant
In order to comply with GDPR for small businesses and avoid a fine, you have to take into consideration multiple key points within the legal legislation, that can be very time consuming.
For this reason, Market Inspector created a step-by-step guide that discloses all the necessary actions you have to go through to comply with the regulation. Additionally, the guide below provides actionable tips that will make it easier for you to comply with GDPR for small businesses.
1. Know your data!
Identify the personal or sensitive data you collect through a data audit. Be aware about how you collect, use and share data. Collaborate with managers to complete data audits for each department.
3. Review all contracts!
Check if contracts with all your employees, customers and suppliers are GDPR compliant. Documents should be detailed and tailored to your industry.
4. Create a consent process!
5. Consider age verification!
Think about the age of your clients, if your target group is under aged. Set up an age verification check and ask for parental consent, if needed. Use multi-layered method to verify age by more than one approach.
6. Assign responsibilities!
A common misunderstanding in the topic of GDPR for small businesses is whether or not your firm has to assign a Data Protection Officer (DPO). The truth is that if your business has more than 250 employees or processes sensitive personal data on a large scale. Even if you don’t need a Data Protection Officer, you should still assign someone for privacy matters.
7. Meet data subjects rights!
You must fulfil all data subjects rights within 30 days of all application. Optimise the process of meeting subjects data requests, create necessary contact forms to quicken the process.
8. Think about security!
Check if all databases have password protection. Review who have the rights of accessing them. Ensure access rights are given according to operational needs of an employee, and should not be done arbitrarily. Additionally, make sure you have the right merchant account providers offering the latest and the most secure payment systems.
9. Prepare for data breaches!
Report breaches that pose a privacy risk within 72 hours of becoming aware of it. Train your employees about GDPR and risk reporting.
10. Identify your SA!
If your business operates in multiple countries across the EU a Supervisory Authority gets assigned to you. Be aware that you might have to deal with international authorities when dealing with data breaches.
We truly believe that after reading this comprehensive guide about GDPR for small businesses, you will have a better understanding of this legislation and the process behind making your company compliant.
None of the content on this webpage should be classified as an official statement of the regulation. You should not consider any advice in this article as legal advice.