GDPR in 10 Steps: a Guide for Small Businesses

By now every business owner in Europe would have heard about GDPR: if it didn’t hit them on the news or through social circles, the swarm of pop-ups and emails announcing policy updates would have been telling enough. GDPR awareness might be mainstream, but it comes a tad too late to believe its practice is correspondingly widespread. Timing aside, putting GDPR to action proves confusing as the regulators provide little guidance in GDPR’s practical application. Among the most puzzled are small companies. GDPR dictates they bear the same responsibilities as governments or corporations, pressuring them to make do with less subject-matter knowledge and fewer budget for the lawyers to get their heads round the regulation.

This checklist summarises the principles behind GDPR from which each business can derive their data protection strategy. I should note that I am not a lawyer but a data security consultant: nevertheless it is my belief that abiding to these principles should guarantee that a business operates legally and securely.

10 GDPR Principles for Small Businesses:

  1. Consent to process data is not required when: user data is necessary to perform a contract. A company does not need to ask for consent to obtain data if such is required to perform a business transaction: the consent is automatically assumed. See Art. 6 Lawfulness of processing.
  2. Consent to process data is required when: user data is subject to additional processing: either by the company or by a third-party. That extra processing is not necessary to perform the service contract between a customer and the company. Examples include re-selling user data to business partners or displaying ads to users based on demographics derived from the user data. This is described in Art 7. Conditions for consent.
  3. Free opt-in & opt-out anytime: processing personal data as described in point 2 requires an unambiguous consent recorded by an affirmative action, e.g. ticking an opt-in box. Users should be able to opt-out from the additional processing and at any time of the service agreement. Users are able to continue using the service if they choose to opt out from additional data processing. See Art. 4 Definitions and Art. 21 Right to object.
  4. If user consent has been requested in the past and follows the rules described in point 3., there is no requirement to reissue the consent agreement: see Art 7. Conditions for consent.
  5. Data protection by design and by default: a company should ensure that user data is protected wherever its stored or displayed in the system. This can be achieved by applying encryption or tokenization techniques for every instance where personal data lives (documents, databases, spreadsheets). GDPR asks for applying appropriate “technical and organisational measures”. Security has to be assured in every day operations: its worth re-evaluating who has access to which data, and whether rightfully so. For more, see Art. 32 Security of Processing.
  6. As per GDPR definition, personal data is any information that can identify or trace a person: their name, numeric identifiers (social security number, tax id, passport number), biological data (DNA, biometric data – including photographs, videos), location data (home/work address, any tracing information), opinions and personal identity. It’s your company’s responsibility to protect this information*. This is further described in Art. 4 Definitions and Art. 9 Processing of special categories of personal data.
  7. Information to be provided in time of data collection can be found here: Art. 13 Information to be provided where personal data are collected from the data subject.
  8. Breach notification: in case of a data breach, company has 72 hours to notify the authorities – as per Art. 33 Notification of a personal data breach to the supervisory authority.
  9. Right to be forgotten: a user can request to be erased from company’s records at any time. Note: some national / financial laws require data retention periods that have to be kept in place. This law is codified in Art. 17 Right to erasure (‘right to be forgotten’).
  10. Small companies are subject to the same laws as the big ones. The only difference is in auditing: there is no need to maintain a record of processing activities Art. 30 Records of processing activities.