GDPR for small and medium-sized enterprises - Guide 1/2

GDPR for small and medium-sized enterprises - Guide 1/2

The General Data Protection Regulation brings us new opportunities, but also obligations that we must comply with if we want to avoid financial sanctions.

The new regulations give individuals extensive rights to their data and introduce strict rules on how businesses obtain, store and use this data. A GDPR compliance checklist for small businesses is essential.

What do you need to know?

The two key principles of the GDPR are that companies must have reasonable legal grounds for processing personal data, must be fully transparent and may also collect personal information only for a specific purpose.

How does GDPR affect small and medium-sized enterprises?

The GDPR requirements apply to all large and small enterprises, although there are some exceptions for small and medium-sized enterprises. Companies with less than 250 employees do not have to keep records of their processing activities, unless this is a routine activity involving sensitive information or the data could not endanger the rights of individuals.

Because most companies own some form of personal customer information - from email and mailing addresses to health and financial information - it is essential that your business meets GDPR requirements, regardless of the size of your company. Serious breaches of the GDPR regulations result in a massive fine of up to 4% of your business turnover, or € 20 million, whichever is higher.

If you collect, store or use personal data in any form, your business must comply with the GDPR. Follow our GDPR compliance checklist to make sure you are complying with all your responsibilities.

1. Find out what your GDPR responsibilities are

GDPR introduces two new terms that describe a person, company or organization that collects and processes data. Controllers and Processors must comply with the GDPR and must be in line with the GDPR for all SMEs in each checklist.

Data controller - a person or company that determines how and why personal data is collected. The data controller must ensure that the undertaking is in full compliance with the GDPR, including transparency, data retention, data confidentiality and the accuracy of the data collected and stored. They are also responsible for informing the Office of the Commissioner of Information (ICO) if data breaches occur or if data is stolen or lost in your business.

Data processor - the person or undertaking responsible for processing personal data on behalf of the controller. This includes anyone who has access to personal information and who uses it in any way, such as creating and sending marketing emails. The processor must ensure that the data are processed in accordance with the requirements of the GDPR and the record processing activities. It must also ensure adequate security when handling data.

2. Audit of personal data

Data comes in many forms. Make an audit of the data you store about customers, clients and employees - both past and present - as well as personal information about suppliers. The data includes a wide range of information, including names and addresses, financial and bank records, employee employment records and dates of birth.

You need to decide what data you need for your business. GDPR requires that you keep only the necessary data and for as short a time as possible.

Specific categories of personal data

This includes personal information such as political affiliation, religious beliefs, sexual orientation, trade union membership, racial and ethnic origin. These are data that could be misused to discriminate against an individual. You need the explicit consent of the individual to store any special categories of personal data.

You should also check how the data enters your business, including any consent obtained and the processes it goes through. See who processes personal data and whether it is accessible.

3. Review or define data consent rules

To obtain and store personal data, you must first obtain the clear and explicit consent that the individual freely provides. This means that you must clearly explain what personal information your business collects and how it will be used. The individual must agree to this.

If they do not agree, you are not allowed to collect and store this data under any circumstances. This includes the conditional collection of data if the data is collected as a condition of using the service, such as the provision of an incentive to subscribe to news and the subsequent use of this data for marketing purposes.

To comply with the GDPR, your company must be able to demonstrate that you have obtained consent to the data you own. Without recording the consent, there is a risk of a fine. Your business must also provide easy ways for an individual to opt out in the future.

4. Get rid of old data

Many companies create databases of customer information. The GDPR requires all existing customers to give their consent again. This means that you must contact each customer you have in the database and ask them for permission to further store and use this data. If they do not agree, and this may involve simply not responding to your request, you must delete their data. The GDPR stipulates that data may only be kept for as long as necessary. If they are no longer used, you must remove them.

Within each GDPR compliance checklist for small businesses, an important step is to audit the data you own and to establish policies that determine how long this data can be retained. For example, according to an established policy, data belonging to a customer who has not cooperated with your business for 12 months could be deleted. Check the data regularly to make sure it is not kept longer than necessary.