The small business no-nonsense guide to GDPR
About this Guide
The clock on the GDPR enforcement has now run down, but that does not mean the GDPR has gone away or is any less important for your business than when it was top of the news headlines.
Many businesses are understandably frightened and unsure of whether they are compliant. There is unfortunately still a lot of confusion around this legislation, so the purpose of this guide is to cut through the confusion and provide an overview of what the legislation is.
The guide also tries to lay out the steps that you as the business owner need to take to see if you are compliant, and what needs to be done to meet any gaps in your data processing protocols. It is a legal requirements for all businesses – both new and existing – to meet the requirements of the GDPR.
As a provider of CRM for small business, most of our customers will be interpreting the GDPR from a small business standpoint and that’s therefore where we’ll be writing this guide from. We will also take a few opportunities to demonstrate how using RealtimeCRM can help you close any compliance gaps.
The birth of the GDPR
On the 25th May 2018 the GDPR (General Data Protection Regulation) came into effect. It was a wide ranging overhaul of data protection regulation that affected all businesses. The Regulation was an essential step to strengthen citizens’ fundamental rights and keep up to date with the tremendous changes that have taken place.
Over the last 20 years in particular, the internet of things, social media and online shopping have come into being and grown significantly. There is therefore an ever growing ocean of personal data that needs to be protected and made secure.
Because of its importance and the perceived complexities many businesses were contacted by consultants offering reviews, courses and compliance checks – you might have been one of them. We believe that while the GDPR affects all businesses it doesn’t have to be difficult to deal with. That said, you must always keep in mind that no-one can offer authoritative legal advice on any subject until it is tested in the courts: We can tell you our interpretation but we are not lawyers, we are not your lawyers, and this is not legal advice.
What is the GDPR?
The GDPR is a modern privacy framework which aims to account for the complex nature of modern data collection, storage, processing and distribution. The goal is to provide a path which allows businesses to build and maintain a data policy that ensures you keep your eye on the ball of data security and management.
It’s in your interest to be compliant. This is not simply because this legislation has teeth in the form of significant fines (we’ll cover that later) but by doing so you signal to your customers that you take the security of their personal data seriously.
As you can see from the Pew Research survey above, privacy matters to individuals. If you cannot demonstrate high standards of data protection – or worse, you are found to be negligent – it will harm your business.
Additionally, the GDPR requires all companies within the EU to create data processing systems with the same underlying principles. This will allow for a consistent and cohesive data protection environment, which in turn makes it easier for businesses to interact with each other.
NB Despite the UK’s exit from the EU at the end of 2020 the GDPR still applies. See below for more details.
What are the key principles of the GDPR?
The GDPR sets out the data protection principles in Article 5, which can be summed up as follows:
- That personal data is processed lawfully, fairly and in a transparent manner in relation to individuals.
- That personal data has been collected for a specific and legitimate purpose and is not processed beyond the scope of the legitimate purpose used to justify the processing.
- That personal data is adequate, relevant and limited to what is necessary in relation to the purpose for which it is being processed.
- That the personal data is accurate and kept up to date.
- That personal data is kept in a form which permits the identification of data subjects for no longer than is necessary for the purposes for which the personal data is being processed.
- That personal data is processed in a manner that is secure including protection against unauthorised or unlawful process and against accidental loss or damage.
Does it apply to me?
The regulation applies whether or not your business is based in the EU and regardless of the actual location you process data. As long as you are processing the data of people in the EU for the purpose of offering goods and services (whether paid or not) or monitoring the behaviour of people in the EU, for example by placing cookies on the devices of EU individuals, you must adhere to the GDPR:
“This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to..”
-Article 3(2) General Data Protection Regulation-
Even though the UK left the EU in December 2020, that has had no impact on the GDPR enforcement as the Information Commissioner Office (ICO) has confirmed the new bill applied in the UK from 25th May 2018.
For the purposes of this guide we will focus our attention on the GDPR and its effect on small businesses. The GDPR is not a one size fits all solution to the problem of data protection. It has differing levels of obligation depending on the size of the business when it comes to reporting:
“The obligations referred to in paragraphs 1 and 2 shall not apply to an enterprise or an organisation employing fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as referred to in Article 9(1) or personal data relating to criminal convictions and offences referred to in Article 10.”
-Article 30(5) General Data Protection Regulation-
In plain language, the GDPR does not expect the same level of obligation from a small company of, say, 12 employees as it would from a company like Facebook. That is unless you process data more than occasionally or if the data is of special categories, in which case you will need to comply in the same way as larger organisations.
It’s important to understand the general principles because, as the GDPR states, data protection is not a product but a process. In understanding the process you will be able to evaluate your current data protection procedure and update it where necessary to ensure that you are compliant with the GDPR.
A few key definitions
Data Subject: A natural person who can be directly or indirectly identified by information such as a name, an identification number, location data, an online identifier (such as a username), or their physical, genetic, or other identity. An example would a person named ‘James Sample’.
Personal data: The GDPR applies to personal data meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.
Sensitive personal data: The GDPR refers to sensitive personal data as special categories of personal data. The special categories specifically include genetic data, and biometric data where processed to uniquely identify an individual. See Article 9(1) for an exhaustive list of what classifies as sensitive personal data.
Profiling: Any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
Controller: Determines the purposes for which and the manner in which any personal data is to be processed. For example James Sample registers with a landscaping company named Green Landscapes via their website to find out more information about their services. In this case Green Landscapes becomes the controller of the personal data that James Sample provided.
Processor: They process the data on behalf of the controller. Any software or CRM system such as RealtimeCRM becomes a processor of James Sample’s personal data when Green Landscapes imports his data into RealtimeCRM.
Processing: Anything that is done to or with personal data such as:
- Organisation, adaptation or alteration of the information or data.
- Retrieval, consultation or use of the information or data.
- Disclosure of the information or data by transmission, dissemination or otherwise making available.
- Alignment, combination, blocking, erasure or destruction of the information or data.
Enforcing the GDPR
Under the Data Protection Act (DPA) the ICO could issue fines of up to £500,000 to a data controller that was in violation of the legislation. The GDPR however allows for far more significant fines of two differing levels of severity:
Level One fines
Under the GDPR, the ICO can issue fines of up to €10 million or 2% of worldwide turnover of the preceding financial year (whichever is greater) against both data controllers and data processors.
The following is a list of some of the provisions which, if violated, can result in the above fine:
- Failure to implement measures to ensure privacy by design (i.e. ensuring data protection is considered in the early stages of a project and throughout its life cycle).
- Failure by a controller in relation to the engagement of processors.
- Failure of a processor to process data only in accordance with the controller’s instructions; failure to report breaches; and failure to appoint a data protection officer, if such appointment is required pursuant to the GDPR.
Level Two fines
The ICO can impose fines of up to €20 million or 4% of worldwide turnover of the preceding financial year (whichever is greater) against both data controllers and data processors.
The following is a list of some of the provisions which, if violated, can result in this fine:
- The basic processing conditions including in respect of obtaining consent.
- Infringement of the rights of data subjects including international transfers of personal data.
- Failure to implement or adhere to a subject access request process.
In addition to the above fines, the GDPR explicitly states that individuals have the right to complain and this incudes the right to judicial redress in court.
Now that you are aware of the potential penalties of the GDPR you might be panicking. Please don’t. These enforcements and fines can be easily avoided by doing a proper audit of your existing data management systems. Once done, you can look at ways that it needs to change for it to be compliant. Remember that the purpose of the legislation is not to trip you up but to encourage you to think about data protection and to ensure it is more than just an afterthought of your business.
This process of conformity and compliance is more than manageable in all but the most extreme complex cases. Make sure you incorporate the concept of data security into your business so that it becomes a cornerstone of good practise.
Your current data processing
In this section we’re going to think about the GDPR in more specific terms. How exactly does it apply to your business?
Under Article 30, the GDPR includes a reduced burden for small businesses when it comes to keeping records of their data processing. This however does not apply if you are processing special categories of data (see Article 9 for a full list of these) or if the processing you carry out results in a high risk to the rights and freedoms of the data subjects. Additionally, it does not apply if the processing of data is not just occasional. The interpretation of the not occasional phrase has not been made explicit and so we will interpret it conservatively and assume that the higher standard of recording applies to small businesses as well.
All of this may sound quite intimidating but you need not be on your own in attempting to meet the relevant compliance requirements. You can easily seek advice from third party consultants on this point.
Becoming GDPR compliant begins with knowing what data you collect and process, and why. This is a useful exercise to run because you may find out that you can reduce the amount of data you collect and therefore reduce your GDPR liability.
The easiest way to find out what data you collect is to perform an audit of your current data processing. The ICO has produced an easy to use template with example data which you can fill in with all the current data processing that you do, where your data came from, who you share it with and under what lawful basis within the GDPR you process that data.
We recommend you read this entire guide so you have a fuller understanding of the GDPR before filling in the template below:
The Controller data processing documentation template
Risk Assessment
The GDPR encourages a risk based approach to data processing. Article 30 of the GDPR requires controllers to “ensure a level of security appropriate to the risk.” In order to find out your level of risk you will have to do a risk assessment. Fortunately, this is not as complicated as it sounds and just requires some common sense and honesty.
- A Threat Assessment: Are you able to identify data breaches, unauthorized network access or even things as simple as whether your physical files are locked away with only the necessary people having access to them?
- Data Audit: Look at your data collection and processing as a self contained system. What is the greatest threat to it? If your data is stored digitally, is it encrypted and password protected? Are you processing sensitive data that requires extra security? Do members of staff require a Disclosure and Barring Service (DBS) check?
You will also need to have plans for incident response and breach notification, which under the GDPR requires a 72-hour turnaround. This is unless the breach is unlikely to result in a risk to the rights and freedoms of data subjects.
Completing an adequate preliminary risk assessment will enable you to identify your level of risk. This is particularly important because if you are at a high risk you are required by the GDPR to conduct a Data protection impact assessment (DPIA).
As a small business do I need to conduct a DPIA?
If you are a small business your level of risk is unlikely to be high enough to warrant a DPIA. The three conditions that necessitate a DPIA are:
- A systematic and extensive evaluation of personal aspects relating to natural persons, which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person.
- Processing on a large scale of special categories of data or of personal data relating to criminal convictions and offences.
- Systematic monitoring of a publicly accessible area on a large scale.
An example which may require a DPIA could be a hospital that is processing its patients’ genetic and health data on its information system. If you’re a small local landscaping business then the information you hold and process probably doesn’t meet the DPIA conditions.
The right to process
We have now covered a basic overview of what the GDPR is. We have gone over the preliminary steps you should take before you actually change your current data processing system as well.
From this point onward we will be getting into the detail of the legislation and specifically what you have to do to comply with it.
The foundation of compliance is that you must have a lawful basis for the processing of personal data. The GDPR provides six lawful bases for processing. No single basis is a stronger justification for processing than any other. What matters most is which bases are most appropriate to use for the purpose(s) of the processing that you intend to do and your relationship with the individual whose data you intend to process.
The lawful bases for processing are set out in Article 6 of the GDPR. At least one of these must apply whenever you process personal data:
Consent: The individual has given clear consent for you to process their personal data for a specific purpose.
Contract: The processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
Legal obligation: The processing is necessary for you to comply with the law not including contractual obligations.
Vital interests: The processing is necessary to protect someone’s life.
Public task: The processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
Legitimate interests: The processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. However, this does not apply if you are a public authority processing data to perform your official tasks.
As a small business only a few of these lawful bases will apply to you when processing data, the most likely of which will be Consent and Contract.
How to gain consent
The GDPR defines consent in Article 4(11) as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.
Consent is appropriate if you can offer people real choice and control over how you use their data, and want to build their trust and engagement. But if you cannot offer a genuine choice then you should not use consent as a lawful basis for processing personal data. In such a case an alternative such as Contract may be more applicable.
Clear affirmative action means the individual must take deliberate action to opt in, even if this is not expressed as an actual opt-in box. For example, other affirmative opt-in methods could take the form of signing a consent statement, oral confirmation, a binary choice presented with equal prominence, or switching technical settings away from the default.
Conditions for consent
Article 7 describes the conditions for consent but they can be summarised as your consent mechanism being specific, granular, clear, prominent, documented and easily withdrawn:
- Unbundled: Consent requests must be separate from other terms and conditions. Consent should not be a precondition of signing up to a service unless necessary for that service.
- Active opt-in: Pre-ticked opt-in boxes are invalid. You should use instead unticked opt-in boxes or similar active opt-in methods such as a binary choice given equal prominence.
- Granular: Give granular options to consent separately to different types of processing wherever appropriate.
- Named: Name your organisation and any third parties who will be relying on consent. Even precisely defined categories of third-party organisations will not be acceptable under the GDPR.
- Documented: Keep records to demonstrate what the individual has consented to, including what they were told, and when and how they consented.
- Easy to withdraw: Tell people they have the right to withdraw their consent at any time, and how to do this. It must be as easy to withdraw as it was to give consent. This means you will need to have simple and effective withdrawal mechanisms in place.
- No imbalance in the relationship: Consent will not be freely given if there is imbalance in the relationship between the individual and the controller.
When consent isn’t appropriate
As stated earlier, if you can’t offer people a genuine choice over how you use their data then consent is an inappropriate lawful basis for processing. This may be the case if, for example:
- You would still process the data on a different lawful basis if consent were refused or withdrawn. For example, a company that provides credit cards. They ask their customers to give consent for their personal data to be sent to credit reference agencies. If the customer were to refuse they could still send the data to credit reference agencies on the basis of ‘legitimate interests’.
- If consent to the processing is a precondition of accessing your services. In some cases this might not even constitute valid consent. Instead if you believe processing is required for the service then the better lawful basis for processing would be processing for the performance of a Contract.
- If you are in a position of power over an individual like their employer then they obviously cannot freely give consent as they may fear adverse consequences or feel like they have no choice but to agree. In this case the better lawful basis for processing could be processing for the performance of a public task.
In each of the above examples, Consent is not the most appropriate lawful basis for processing data. Think about the nature of the data that you are processing and whether another lawful basis is more suitable than consent.
Implied vs Explicit Consent
You must make it clear to the individual what the purpose of the processing that you intend to do is. You must then restrict your processing to only that which you have stated in the consent documentation.
For example, if an individual drops their business card into a prize draw box in a coffee shop, this can be seen as an affirmative action that clearly indicates they consent to having their name and contact number being processed for the purposes of the prize draw. It does not entitle the coffee shop to use those same details for marketing or any purpose other than the prize draw that the individual entered. This example is a case where we have implied consent which is inferred from someone’s action, in this case dropping their business card in the prize draw box.
In the example below, an individual must give consent explicitly by ticking an opt-in box to receive emails about products and special offers. The explicit element of any consent statement should be separate from any other consent you are seeking and it should clearly refer to the exact processing for which you are seeking consent. If relevant, you should state the nature of the special category data you are trying to collect as well.
RealtimeCRM can aid you in recording consent by allowing you to create a custom field which records the specific processing they have agreed to and when they agreed to it. Using the example above you could as We do Hairdos scan the filled in consent form and have it linked to the appropriate Contact record via RealtimeCRM’s Documents feature. In that way you have the nature of the consent and proof of the consent all in one place associated with the relevant individual.
How often do I have to revisit my consent?
The GDPR does not put a time limit for consent. Context is far more important. If your processing operations or purposes evolve then your original consent may no longer be specific or informed enough to be valid. If this happens you will need to seek fresh consent or identify another lawful basis.
Children and Consent
Article 8 of the GDPR describes when a child can and cannot give consent. It states that if that child is at least 16 years old then they are capable of consenting to their personal data being processed. Otherwise, if they are under 16 years old you must gain consent from the holder of parental responsibility over the child.
However, member states can choose to lower the minimum age at which a child can provide consent, and in the UK you can gain consent for lawful processing for children aged 13 and over. If you do choose to rely on children’s consent you’ll have to implement age verification measures and make reasonable efforts to verify parental responsibility for those under the relevant age.
Document your Consent
Ensure that you keep records to evidence consent. They should clearly state who consented, when, how, and what they were told. We have already discussed how software such as RealtimeCRM can help you achieve this. You should also make it easy for people to withdraw consent at any time, preferably in the same manner as they first consented.
This means that, ideally, if they consented via an online form they should be able to withdraw consent via an online form that is easy to find and use.
If you’d like in-depth information about consent then visit the ICO GDPR Consent information page.
The rights of the data subject
Articles 13 through to 22 of the GDPR describe certain rights that data subjects are entitled to. In this section we will be covering each one in turn and looking at how they may affect your small business.
It may seem like a Sisyphean task to ensure you uphold each right but, as before, it needs to be seen as a process rather than a product. Some of the rights will be less relevant to smaller businesses as they are designed to deal with large corporations instead. Your data processing system should be designed by default to comply with each of these rights.
The rights of the data subject are as follows:
- The right to be informed
- The right of access
- The right to rectification
- The right to erase
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling
The right to be informed
For this, you need a privacy notice which transparently and simply explains who you are, what data you are collecting, for what purpose (especially if the data will be used in profiling), for how long will you hold onto the data and finally if you will pass it onto a third party.
You must also clearly state where you got the personal data from if you did not get it directly from the data subject, as well as how the data subject may withdraw consent or complain to the relevant supervisory body.
The right of access
Individuals have the right to access the personal data, and any supplementary information which you hold on them. The primary reason for this right is that it allows individuals to be aware of and verify the lawfulness of the data processing which you are doing.
The time limit from the request being made by the data subject to the information being obtained by them is 1 month. For some businesses this could be difficult if they have many customer information requests or a very complex data management system (say, multiple spreadsheets without an efficient reference system) to gather the required information in a timely manner incurring a cost to the business. Unfortunately, under the GDPR guidelines you are not able to charge a fee for dealing with an information request so streamlining this process to be as efficient as possible is in your interest.
With RealtimeCRM we want to make complying with the right to access component of the GDPR as simple as pushing a button, in fact that’s what we’ve done. We’ve introduced the GDPR button on all Contact records. In clicking this button you can download a text file with all the information you hold on that Contact. This allows you to quickly and painlessly send this information to the customer, allow them to check its accuracy and whether they consent to you continuing to hold this information. Your data management system shouldn’t be a hindrance to compliance but an aid to it.
As you can see having your data stored electronically in a CRM system like RealtimeCRM can save you a significant amount of time and make compliance a lot easier.
The right to rectification
The GDPR enables individuals to rectify their personal data if it is inaccurate or incomplete. Furthermore, if you have disclosed this inaccurate personal data to third parties you must inform the data subject of these third parties and also inform the third parties that the data is to be rectified and thus made accurate.
Once again if you receive a rectification request from an individual you have one month to comply.
The right to erase
The underlying principle of this right is to enable an individual to request the deletion or removal of personal data where there is no compelling reason for its continued processing.
For most small businesses it will likely apply if the personal data is no longer necessary for the purpose it was originally collected or if the data subject withdraws their consent to process their data, or if the data was unlawfully processed i.e. in breach of the GDPR.
As before, if you have passed their personal data onto a third party you must inform them of the erasure request too unless it is impossible or involves disproportionate effort to do so.
If you have the right system in place you can comply with this requirement of the GDPR without too much trouble. In this case storing your data electronically such as in RealtimeCRM allows you to quickly search for the individual’s record and simply click the Delete button. Their data will be removed from the CRM system permanently.
The right to restrict processing
This right enables individuals to stop you from processing their data but you are still allowed to store their personal data.
An example of when this might apply for a small business is if the individual questions the accuracy of the data you hold on them. In this case until they have verified its accuracy you must not do any processing with this data.
The right to data portability
The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services. Put simply, they can move, copy or transfer personal data easily from one IT environment to another.
In order to comply with this the data has to be provided in a structured and machine readable format such as a CSV file. From the initial request you have 1 month to comply. If it is particularly complex or you receive many such requests then you may request an extension to 2 months in order to comply. You will also not be able to charge for this service. If you’re not storing your data electronically or if it is stored across many complex spreadsheets this task can be very arduous and time consuming.
With RealtimeCRM however you can simply select the Contact record you want and export it. It will automatically export it as a CSV file, enabling you to pass this onto the data subject who made the initial data portability request without much fuss.
The right to object
Individuals have the right to object to you processing their data on grounds relating to his or her particular situation. If you receive such an objection you must cease processing their data unless:
- You can demonstrate compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the individual.
- The processing is for the establishment, exercise or defence of legal claims.
You must also inform individuals of their right to object in your first contact with them or in your privacy notice. The GDPR states that the right to object must be “explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information”.
Rights in relation to automated decision making and profiling
This will unlikely be relevant to small businesses. This is more for the Google’s of this world. Basically, automated decision making means making a decision without any human involvement and profiling means automated processing of personal data to evaluate certain attributes of an individual for example their interests.
If this does apply to you then you must:
- Give individuals information about the processing.
- Introduce simple ways for them to request human intervention or challenge a decision.
- Carry out regular checks to make sure that your systems are working as intended.
Documenting your data processing
Article 30 describes in detail the records of data processing which businesses are required to keep. As we have discussed previously there is a less rigorous requirement for smaller businesses but due to the as yet undefined meaning of “data processing is not occasional” in this guide we will assume the full documentation standard applies to small businesses as well.
If you recall back to the section in this guide titled “Thinking about your current data processing”, we went through how to do a data audit of your current data processing system and provided you with a template “The Controller data processing documentation template” with which to record all your data processing activities.
In a nutshell, that’s what documenting your data processing is: It’s filling in that template. As we covered in that section, and the template demonstrated, you must document the following things:
- The name and contact details of your organisation and where applicable, of other controllers, your representative and your data protection officer.
- The purposes of your processing.
- A description of the categories of individuals and categories of personal data.
- The categories of recipients of personal data. Details of your transfers to third countries (countries outside the European Union) including documenting the transfer mechanism safeguards in place.
- Retention schedules.
- A description of your technical and organisational security measures.
If you desire, you can also record additional data such as the location of where the personal data is stored and records of consent. In any case, when documenting your data processing you should ensure that it is granular and meaningful.
The purpose behind this process is not only to enable you to prove compliance but also get you thinking about whether your current data processing system meets the required standard under the GDPR. You can then think about what can be improved to ensure it meets the standards set out in the legislation.
How RealtimeCRM helps keep an eye on data processing activities
With RealtimeCRM you can easily increase the granular detail of your data processing . You can use the Activity Timeline and Event Log feature to create an audit trail of your data processing. This could be useful as an extra layer of evidence to help prove compliance with the GDPR, should the ICO ever decide to look at your data processing activities.
The Activity Timeline appears in every record when you do something to that record. For example, imagine you created a new project for a customer. Obviously, you will need to use the customer’s personal data to complete the project. The activity note will appear on the Customer’s record detailing the date, time and other details of the newly created Project, automatically recording this new data processing which has taken place.
Furthermore, the Event Log feature records any activity which has taken place in RealtimeCRM including who did it and when. This might be when a customer record is deleted. In this way you can keep an eye on your data processing activities and make sure you remain compliant and, if needed, prove compliance with the inbuilt data audit trail tools within RealtimeCRM.
Secure by design, secure by default
The GDPR legislation requires you to implement technical and organisational measures to show that you have considered and integrated data protection into your processing activities.
In plain language, have you made the personal data you have secure? One of the key features of a secure system would be that it ensures privacy by design. Some of the ways in which privacy risk can increase is if the data you hold is:
- Excessive or irrelevant.
- Kept for too long.
- Used in ways that are unacceptable to or unexpected by the person it is about.
- Not kept securely.
In order for a small business to ensure its data processing system is secure by design and default it must first be clear in defining its information flows.
Next, how is the data stored? If it is kept physically in a filing cabinet then is it locked? Who has access to it? What about backups in case of physical damage to the data?
If it is stored electronically, is the data encrypted? Once again, who has access to it? Are you regularly updating your security software?
The three fundamental questions to ask when thinking about this problem are:
- How is my data secured?
- Who has access to the data?
- What protections are there against damage or unauthorised access?
As a small business you may find it useful to use third party software so you can take advantage of its inbuilt security measures. RealtimeCRM enables you to restrict what different users can see and access. In that way you can protect your customer’s personal data and only allow staff members the absolute minimum access they need to carry out their work. Plus, with the Event Log you can see if any unauthorised access has taken place which adds an extra layer of security.
In addition, all communication between your browser and RealtimeCRM is encrypted with SSL. This is the same technology used to secure internet banking.
Do you need a Data protection Officer (DPO)?
As a small business you probably won’t need to have a Data Protection Officer (DPO) unless:
- You carry out large scale processing of special categories of data or data relating to criminal convictions and offences.
- You carry out large scale systematic monitoring of individuals. For example, online behaviour tracking.
If you do decide to employ a DPO their minimum tasks will include:
- To inform and advise the organisation and its employees about their obligations to comply with the GDPR and other data protection laws.
- To monitor compliance with the GDPR and other data protection laws, including managing internal data protection activities, advise on data protection impact assessments; train staff and conduct internal audits.
- To be the first point of contact for supervisory authorities and for individuals whose data is processed
Compliance need not be a nightmare
Hopefully, having read this guide about the GDPR and understood the principles behind it you will see that it is not something your business should be worried about and that the actions for closing any gaps in compliance can be dealt with relatively easily.
Remember, it’s a process not a product. It aims to require you to think about the way you currently process data and ensure that security remains at the foundation of any system that you implement. This way, you will be keeping your customer’s data secure and building trust with them in the long term.
We hope this guide has been useful in untangling what seems like an overwhelming subject. This is not a legal document but our interpretation of the new legislation and how it will likely impact small businesses. The GDPR is not a one size fits all solution and should not be read without the context of the type and size of business you are interpreting it for.
At the end of the day only you know exactly how your business processes data and it will be up to you to incorporate the principles of the GDPR into your data processing system.