Get your small business ready for EU GDPR in 6 steps
The European Union General Data Protection Regulation (EU GDPR or just GDPR) is coming into force in less than a month. On May 25th 2018 this regulation will become law in the 28 Member States. This regulation harmonises the diverse data protection legislation across the EU. It also is very focussed on individual citizen’s data and privacy rights, protecting as it does the EU’s own citizens regardless of where their data is processed and anyone whose data is processed in the EU. Finally the aspect that concerns many businesses are the fines that can be incurred if the company experiences a data breach or in other ways fails to respect and protect individual citizen’s data and the privacy of that data.But businesses should not focus on the fines. Focus instead on the opportunity that the EU GDPR allows for some housekeeping and for rebooting your best practices when handling your clients’ and customers’ data.
GDPR exists in the realm of “What-ifs”
In preparation for this for my own business I did an excellent full day course delivered by Valerie Lyons, COO of BH Consulting for Irish Times Training. I am not purporting to be an expert: if you need one get in touch with Valerie. The reality is that there are no experts YET. Many of the cases we discussed during the course of the day, the “what-ifs”, are currently purely theoretical as they have yet to be tried in law. We know from the regulation what the letter of the law is but the first case taken will give us some idea of how that letter is read and set a precedent. This is ever the case with new legislation.
My hot take on GDPR
My hot take from the day? If you are a conscientious business that has been managing your customers’ data transparently and securely, you will not need to make many changes to how you operate. If you aren’t quite there, at least now you have clear instructions and you will know that the documentation, systems and processes you put into place will stand your business in good stead throughout Europe and, indeed, the world.
It is not in the EU’s interest to make it massively onerous on companies to comply. Micro, small and medium-sized businesses make up 99.8% of non-financial business in the region.
“The overwhelming majority (99.8 %) of enterprises active within the EU-28’s non-financial business economy in 2014 were micro, small and medium-sized enterprises (SMEs) — some 23.3 million — together they contributed 57.4 % of the value added generated within the EU’s non-financial business economy. More than 9 out of 10 (93.0 %) enterprises in the EU-28 were micro enterprises (employing less than 10 persons) and their share of value added within the non-financial business economy was considerably lower, around one fifth (20.9 %).” (Source)
Therefore, the EU does not want to put you or your ilk out of business. Also the regulation is now possible because cost-effective technology exists that allows organisations to undertake these responsibilities to society.
Six Steps to GDPR-ready
What does an average SME need to do in the next four weeks to be ready? These following six tasks should get your business to a good place with GDPR.
- Read up about what the intention, reason and focus of the EU GDPR. Make sure you know what it covers and does your company have to take any special steps because of the nature of the information you collect.
Here are some great sources to review:
www.cnil.fr – you can toggle English on this French site
https://gdpr-info.eu/ – the full regulation with easy navigation.
Don’t read the articles about how this company or that won’t be able to comply or will never be ready (e.g. Facebook, Google etc.) Sure, if you are a user, how they manage their transition is important to you but focus on your own first. And yes, there are implications if you are using their advertising platforms but that is a blog post for another day!
- Audit all the information you currently hold about individuals: contact databases, sign-in sheets, mailing lists, even email addresses in your inbox. It can be digital or real, hard or soft copy but all of it needs to be reviewed and a decision made about whether to retain or delete it. The GDPR refers to data processors and data subjects: storing data subjects or citizens’ data is considered a data process.
- Once you know what you have you need to be able to verbalise your legal basis for holding that data, how long you will retain it and how citizens can communicate with you about data you may hold about them. That’s just open and honest right? Don’t freak out about “legal basis”! This can be as simple as “We ask for your contact details in case there is a change to the schedule. We keep this information for one year maximum.” but as commercial as “We ask you to subscribe to our email marketing list so that we can keep in touch on a regular basis about our business. We ask you to confirm your subscription after 12 months.” In fact this a great opportunity for some small businesses to formalise their communications and to take more ownership and responsibility for one of their company’s most valuable assets!
- The GDPR formalises and enshrines citizens’ data rights (that’s my rights and your rights too!) Business must comply as follows:
- Right of Access: any citizen should be supplied with all the information you have about them on request. This is called a Data Access Request (DAR). You must respond with the data within a month. This can be extended to three if the data is complex and as long as the citizen is informed about the delay.
- Right to be Forgotten: if a citizen requests that you remove all their data, you do it. You can see with these two points already that if you haven’t audited all the data you currently hold as per point 2 above, the company might experience some difficulties.
- Right to object to processing and Right to object to profiling: this one will have a massive effect on the likes of Facebook and Google who use demographic and anonymised data to profile citizens and then serve them ads based on that information. However if you use Google Analytics or Facebook Pixel, your Privacy Statement must be clear on this and allow site users to opt-out of this automated processing and profiling if they wish. If they do opt-out, this should not impact their use of your service. You have probably realised as well that if you have segregated mailing lists, you are doing profiling of sorts. This element of the regulation allows citizens to withdraw from being a target of automated processing but also direct marketing of any kind.
- Right to portability: this means that citizens should be able to receive their data from you and move it to a new service provider. Big implications for banks, utility companies etc. but also opportunities for software companies to harmonise data collection amongst smaller service providers like gyms, dentists, solicitors etc.
- Right to transparent communication: in Ireland the age of consent for DATA!! is thirteen (13) years old. It is 16 in most of the other EU member states. Make of that what you will: there are no doubt reams of articles on the subject! See point 2 above! The implication for your business is that your communications relating to data protection, privacy and consent need to be understood by a 13-year-old. I may start a copy editing business with my kids…
- Right to rectification; citizens have a right to have data corrected or updated or completed on their request.You have to ensure that your systems allow you to do this in a timely manner.
- Right to restrict processing: Data subjects (citizens) can, in certain circumstances, ask that the processing (including the storage) of their data is restricted. For example, if the data stored is inaccurate, the citizen can request that processing is restricted until the data is rectified. Other instances are covered in the regulation but the implication for businesses is that your systems processes, especially automated processes, need to have the capability to “hold” the process should a citizen request it.
- Develop a system: Based on this you need to be able to respond to these rights. Should you receive what is called a “Subject Access Request”, a “Data Subject Access Request” or a “Data Access Request” from a citizen you need to comply. Therefore you need a system in place that allows your company to comply. It doesn’t have to be fancy, it just has to be clear.
- Document your processes: Similarly you should document what kind of data processing (including storage) that your company undertakes. You need to document your legal basis for processing data (which includes storing. No I can’t emphasise that enough!)
Depending on the nature of the data that your organisation processes and how and where it is processed, your company may also have to undertake a Data Protection Impact Assessment. (DPIA) This assessment should be done if, broadly speaking, the processing of the data “is likely to result in a high risk to the rights and freedoms of natural persons.” You can read more online from GDPRandYou.ie and CNIL have created a piece of software to assist in creating the DPIA.
There is just over a month between now and 25th May. If we consider each of the points above as a task you need to undertake less that two of those a week to be compliant. Some will take more time and efforts, some will take less time. Some you will be able to do at your leisure some will require a more active approach.
— OnlineHubIE (@OnlineHubIE) April 19, 2018
Welcoming Attitude to GDPR
All of this should be undertaken with a view to responding to an audit from the Office of the Data Protection Commissioner. It might never happen, it might become a regular occurrence, like a tax return (depending on how many fines they collect, eh?) Either way your company can be ready should their officials come knocking on your (virtual) door. The six steps above should allow you to provide them with the following:
- A welcoming attitude because you understand their role and your responsibilities because you’ve done your reading and stayed clear of the scaremongers!
- An audit that outlines what citizen’s data you process and how it is managed.
- A document that explains your legal basis for holding this data, how long you retain it and how citizens can communicate with you about their data.
- A document that details how the company can respond to and enact each of the data subject rights enshrined in the regulation.
- A working system that allows you to respond to a Subject Access Request.
Ideally much of this documentation should be published on your company website. Your customers will welcome it as it shows that the company is engaged, responsible and responsive, open and transparent. What more could a modern business in the 21st Century hope to be?