GDPR for small and medium-sized enterprises - Guide 2/2

GDPR for small and medium-sized enterprises - Guide 2/2

In this article, you will learn what your rights and obligations are to ensure that your business complies with the GDPR. Please read Part 1 of the article first, if you haven't read our guide yet. Link: https://www.osobnyudaj.sk/novinka/426-gdpr-pre-male-a-stredne-podniky-navod-12

   1. Data storage protection

Review and evaluate how your business stores data. Personal data can be found in many places - in e-mail boxes, customer databases, mobile phones and cloud services (Dropbox and Microsoft Office 365).

Create a data processing and storage system. This should determine where customer data is secured, who has access to it, and how it is protected, such as encrypting data and securing your website with SSL.

Data processors may need access to elements such as telephone numbers or postal addresses, so you will need to define how this data is accessed and under what circumstances.

You should also create a data transfer plan. Data is most vulnerable when it is moved, for example between departments or shared with third-party providers (customer service). Set restrictions on how data is removed from the business. For example, on laptops or USB drives.

Data encryption can significantly reduce the fine your business would face in the event of a data breach.

   2. Select DPO

Large companies are required to create a specialized function of Data Protection Officer and appoint someone to this position. Small businesses with less than 250 employees are exempted from this requirement unless they process specific categories of data beyond their means.

Even if your company has only a few employees, it makes sense to appoint one person to be responsible for the data. This means that someone will take over the function of complying with the GDPR rules and ensure that your business complies with the required regulations.

   3. Train your staff in GDPR

In the eyes of the law, ignorance is not an excuse. Unintentional data corruption, such as the loss of a USB key with customer data outside the office, can result in a heavy fine. Implementing company-wide GDPR training and data handling policies must be your priority.

Teach employees to recognize data breaches. Any data breach must be reported to the ICO Commissioner within 72 hours of its occurrence. The report shall include details of how the breach occurred, how work is being done to remedy the breach, and the next steps in the business plans.

   4. The data subject can check what data you collect about them

Every EU citizen can request access to all the data you hold about him or her in full. It can be anything from a link in email messages to customer records and electronic notes. They also have the right to correct any inaccurate data you own and to request the complete deletion of the data.

   5. Ensure that suppliers meet the requirements of the GDPR

Small businesses often rely on a network of suppliers. Even if your company complies with the GDPR, you must ensure that suppliers also comply with the GDPR. Small businesses are exempt from tax if they do not work with a larger company with more than 250 employees.

The quickest way is to ask suppliers to fill in a GDPR compliance form detailing how they process data, data security and retention procedures and what type of data they process.

You can send them a GDPR compliance checklist for small businesses so that they can complete it. Ensure that contracts are specific to the GDPR compliant supplier.

   6. Create data processing notifications

Data handling needs to be fair and transparent, so you'll need to create a document explaining how your business handles data. These documents, known as Fair Processing Notices (FPNs), should appear at the forefront, such as on your website.

They should describe in detail how you record the data, how you process and store it, and how an individual can request access to it. You should also make sure that whenever you collect data, you provide a link or provide details about the FPN so that the individual knows how your business will use their specific data.