How to Comply with GDPR as a Small Business
Business owners already have a lot on their plate. As such, compliane with GDPR for small businesses may feel like another hurdle to overcome. But with the right IT and data processes in place, it’s relatively easy to stay compliant.
When the regulation was first introduced, there was a lot of confusion. With many small businesses making the assumption that it did not apply to them.
But, the fact is, all organisations need to comply with GDPR, not just large multinationals. Even if your business is outside of the European Union, the rules still apply (more on that later).
In this article, we’ll explain exactly what GDPR is and why GDPR for small businesses is so important. As well as offering advice on how you can comply with it.
What is GDPR exactly?
The GDPR or General Data Protection Regulation came into effect in May 2018 as a way to strengthen and protect the rights of EU citizens.
It ensures that organisations are transparent about the data they collect from individuals. It gives these individuals the option to review or amend their data and in some cases, to challenge how it has been used.
Companies can still collect personal data, they just need to be clear about revealing their purpose for collecting it. This way, consumers can decide whether or not to grant them permission. Though, another aspect of this regulation is security.
All organisations must implement adequate security measures to protect any personal data they collect. This means all data needs to be secure and is not at risk of breaches or misuse. In addition to this, in the event of a security breach or incident, this must be disclosed to the individuals affected. All businesses utilise data in some form, yet GDPR for small businesses can be a lot trickier to navigate.
But, the UK will soon no longer be part of the EU – does it matter?
Put simply, yes. It matters.
On the same day that GDPR came into effect, the UK government revised the UK DPA (Data Protection Act) 2018. As such, the UK GDPR (United Kingdom General Data Protection Regulation) is also in effect.
This means that the GDPR is now part of UK law.
Although the DPA contains a few clarifications and minor differences, in essence, it’s practically the same. This is because the UK version was directly lifted from the EU version.
So any instance where it reads ‘Union’ or ‘European Union’ now reads ‘United Kingdom’. With the UK GDPR replacing any reference to ‘EU law’ with ‘domestic law’.
For small businesses looking to keep abreast of GDPR, you can view all revisions in this keeling schedule. This is an unofficial document which directly highlights changes to the legislation.
Even though your business might be in the UK, if your business covers the EU or you want to process the data of EU residents, the EU GDPR still applies. This is due to the fact that the regulation itself is location based.
So it’s imperative for all businesses to ensure they’re following the rules and maintaining GDPR compliance. Which is why GDPR for small businesses is so very crucial.
What is considered ‘personal data’?
Any information that can be used to identify a living person is personal data. This includes:
- Names and surnames
- Email address
- Home address
- IP (Internet Protocol) address
- Location
- Numbers on identification cards or other official documents
However, there’s a category of personal data that is considered ‘sensitive’. This information, if breached, is incredibly damaging. As such, GDPR puts extra emphasis on ensuring that organisations protect this information with even more stringent security measures.
Data classed as ‘sensitive’ includes:
- Race or ethnic origin
- Religious or philosophical belief
- Political leanings
- Trade union membership
- Genetic data
- Biometric data (when solely being used to identify someone)
Sensitive data must be kept separate. And if it’s being held physically it needs to be locked away. However, as a general rule for personal data, this should always be encrypted.
Ideally, it should only be kept on portable devices too, as fixed locations pose more risk.
Another thing to consider is that lots of individual pieces of data can collectively identify a person. As such, when combined these individual data sets, under both GDPR and UK DPA constitute as personal data.
In fact, the IT Governance blog suggests that you think of it like a giant version of the popular Hasbro game, Guess Who?
For a small business, one that’s only just getting to grips with its own data storage processes, GDPR and UK’s revised Data Protection Act pose additional challenges.
But, it’s crucial that business owners take GDPR compliance seriously.
Why GDPR Compliance For Small Businesses Is So Important
First, it’s important to understand the consequence of breaching users’ data and violating the GDPR.
On one hand, there’s the ethical standpoint.
Generally speaking, people are becoming more savvy to data protection and they’re worried about it. In fact, it’s becoming common for many to actively pursue information about how their data is processed.
There are even free online resources such as Have I Been Pwned (HIBP). Resources like this are dedicated to help users assess if their data is compromised or at risk.
Personal data breaches that affect your customers or clients may cause them to lose trust in your organisation. As such, they can be incredibly harmful to the reputation of your business and can be a PR disaster.
For small businesses, your reputation has yet to be tarnished. As such, you’ll want to keep it that way in order to keep attracting new leads or customers.
On the other hand, ethical and reputation considerations aside, there’s also the hefty fines. No company wants to have to pay fines which eat into their profits. And the fines for violating GDPR are absolutely huge!
The penalty for violating the GDPR is a fine of €20 million (that’s almost £18 million in pounds)! Or 4% of your global revenue. Even worse, this isn’t an either/or situation where you can choose, as you must pay whichever is higher. Furthermore, affected data subjects also have the right to sue you or seek compensation for damages.
So if you’re a small business, just one fine could be enough to destroy everything you’ve worked so hard to build.
The Importance Of Consent
Contrary to what you might think, GDPR rules don’t actually require businesses to obtain consent before using their data. However, this is only if you are using it for a specific business purpose.
That said, the EU has outlined 6 legal bases in Article 6 of the GDPR and consent is one of these. Article 6 states:
“Processing shall be lawful only if and to the extent that at least one of [the 6 legal bases] applies”.
We recommend that you take a look at Article 6 for more clarification on how to process data lawfully. However, the crux of it is that all businesses must identify a legal basis for processing data.
If you are in a position where you do require consent, the individual in question must be able to provide clear and affirmative action. Otherwise, their consent is invalid.
As such, resist the urge to autofill tick boxes. Even if it might make it easier for your customer. Never do anything that looks as though you’re trying to hide something.
The key is transparency.
Valid consent or affirmative action extends to consent provided on paper too. But other examples include adding opt-in buttons or links. As well as allowing users to choose their own technical and marketing preferences. It’s about giving them the choice.
The Right To Access Information
Another aspect of GDPR for small businesses to consider is the right to access information.
The Freedom of Information Act (FOI) exists so that UK citizens have the right to see what recorded information the public authorities hold about them.
However, under both UK law and the GDPR, anyone has the right to review and amend their own personal data. Furthermore, they can ask for this information at any time.
This process is known as a DSAR or data subject access request. Once a DSAR is received by an organisation they have just 4 weeks to respond to the request.
A note on data breach compliance
It is essential that you report any data breaches that occur within your organisation within 72 hours of becoming aware of it. This refers and applies to any situation where accidental or intentional destruction has occurred.
From cyber attacks to an employee accidentally disclosing unauthorised information. To data loss or alteration of personal data without consent. A breach of data protection even extends to forgetting to do something simple. For instance, such as password-protect sensitive documents or online databases.
In the UK, the supervisory authority that data breaches must be reported to is the Information Commissioner’s Office (ICO).
Evidently, the GDPR and UK DPA legislation isn’t likely to go away anytime soon. Therefore, it’s absolutely essential that your small business is GDPR compliant.
Fortunately, we’ve compiled a list of things you can do to ensure you comply with GDPR.
How To Comply: GDPR For Small Businesses
Below is some advice on how your business can effectively comply with the GDPR and the DPA.
1. Always get consent
As a small business, when dealing with data, always get consent. Whether it belongs to employees, customers or external contractors…it doesn’t matter. However, a good mantra to have is “if in doubt, seek consent”.
Consent means providing people with a genuine choice. It also means they have full control over how you use their data. GDPR states that consent must also be freely given.
If consent is not freely given, it’s invalid and you have violated the GDPR.
For example, imagine you are a small business that sells electronic goods.
A customer is purchasing a 4K flat screen TV.
At checkout, you ask for your customer to consent to their details being shared with other third-party electronic goods providers. In doing so, you may think you are getting their consent.
However, this is not classed as valid consent because you have made consent a part of your sales process. When in fact, sharing data is not necessary for the consumer to buy a product.
That said, you can still share their details with third-parties. However, you must give them a clear, affirmative and free choice to opt in or opt out.
Sometimes it may be necessary if you use a separate courier or delivery company to ship their TV. This is necessary to fulfil their order. There is a lawful basis in this case, so consent is valid.
Another thing to take into consideration is reusing data.
Just because you have consent for data use for one purpose, doesn’t mean this extends to use elsewhere. For example, your business may have permission to use a customers’ email to send them confirmation of their order.
This doesn’t mean you can use this email to send them future marketing emails, unless they have given you express permission to do so.
2. Train your employees well
Train your team so that they all understand GDPR. With a wealth of training courses out there, you can ensure your staff don’t mistakenly breach your customers’ data.
Don’t cut corners when it comes to training either, ensure all employees are compliant.
After all, it’s not just up to your internal IT department to be “in the know” when it comes to GDPR and other security issues.
For example, your HR team should also understand GDPR and be ready to respond to personal information requests. As well as handle employee data safely and securely.
Of course, there’s no one-size-fits-all approach to training as every business is different. That said, this is where small businesses can thrive. Fewer employees means that your training can be more detailed and hands-on. As a result, as a small business owner, you can feel more confident that your staff have understood.
That said, being a small business there’s a double-edged sword. That is, you are also likely to have fewer resources. As a result, training options are limited or could be more costly due to per-person cost requirements.
However, this is where an IT consultancy could help. For example, Micro Pro’s expert services provide GDPR assistance for small businesses with an audit and risk assessment. We ensure that all of your existing processes and systems are secure and able to uphold data integrity and offer protection.
In addition, we can provide your employees with training where appropriate. As a result, your staff will be in a better position to adhere to current guidelines and recognise threats. Thus, lessening the occurrence of phishing and social hacking, malicious emails or other cyber attacks.
Of course, you can always outsource your IT entirely so that it is managed by experts.
3. Regularly monitor and audit your process
A large part of GDPR compliance relies on your business’s ability to keep data secure.
IT security and cyber security are essential in order to protect your assets, whether informational, digital or physical. Consider the fact that the IT and technology industry and landscape as a whole is constantly in flux. Due to its ever-changing nature, it’s important to keep up-to-date and regularly monitor and audit your IT security processes.
Regular monitoring and audits will search for any vulnerabilities that exist. So having a solid process in place is essential. An in-house IT team may understand IT security in general, but it’s a good idea to hire the expertise of an IT security specialist.
An IT security strategist can work with your business to plan, create and implement the right strategies. In fact, Micro Pro offers extensive IT security and cyber security audits and reviews.
As well as identifying vulnerabilities in your IT systems and infrastructure, we can implement strategies to protect your business against cyber attacks and data breaches.
Our robust security audits cover every aspect of your infrastructure, from servers and networks to computers and phone systems. After we’ve thoroughly analysed and audited your business, we’ll provide you with a full written report and actionable steps.
4. Enable two-factor or multi-factor authentication
Even if you change your password regularly, passwords are easily compromised. However, two-factor and multi-factor authentication provide additional security measures. We briefly discussed multi-factor authentication and two-factor authentication in our IT security guide for small businesses.
However, put simply multi-factor authentication (MFA) is an authentication method that only allows granted access to a website or application upon the presentation of, at the very least two or more factors.
In most cases, one of these factors will be something only that particular user knows such as a password, as well as one or more pieces of data which only that user has.
Two-factor authentication (2FA) is a subset of MFA. This method requires only two factors to determine a user’s claimed identity. Ordinarily, this will be a password and an additional piece of data.
If there weren’t already enough acronyms for you to remember, there’s also SSO or single sign on. SSO permits users to provide a single set of login credentials that cover access to multiple applications.
For example, Google implements SSO across its applications so that a single login grants users access to all of them.
SSO can help with simplifying your password management, reduces security risks and can even increase productivity as your employees don’t have to remember or refer to multiple passwords to undertake everyday tasks.
Fortunately, at Micro Pro, we can assist you with 2FA, MFA and SSO processes.
In addition, if you’re not sure which authentication method is right for your business, we’ll advise you. Giving you extra peace of mind and extra security.
5. Ensure your IT infrastructure is secure and that you understand it
GDPR aside, ensuring your servers, data storage and other infrastructure is secure should be a top priority. As should regularly reviewing and auditing it.
Of course, reviewing your existing IT infrastructure to ensure it’s secure and compliant is all well and good. However, you can avoid any data mishaps or accidental GDPR breaches if you understand your infrastructure.
For example, can you name which systems you use that collect and store your employee or customer information? If yes, well done. However many small businesses are unaware of how data moves through their network.
In fact, according to an EU GDPR for Small Businesses survey from 2019, roughly half of small businesses believe their organisation to be 100% compliant.
Not only that, but when asked more specific compliance questions about their infrastructure, they gave answers which suggested they had no understanding at all. With seven respondents stating “Reddit” as the provider of their end-to-end encryption service!
Don’t let it catch you by surprise. Try to understand how you store your data and how you use it across your entire infrastructure.
Although, you can always call in experts if you really can’t make heads or tails of it, consider IT consultancy services. An expert IT consultant can explain things in plain language and help you to understand.
GDPR for Small Businesses: Does Your Business Need GDPR and IT Security Assistance?
At Micro Pro, we’re experts in explaining GDPR for small businesses and help to keep them GDPR compliant. We keep businesses safe from hackers by monitoring suspicious activity and regularly auditing IT security.
If your small business needs GDPR training, we can support you and your staff.
We provide IT security strategies to protect your business and it’s data from all possible threats. With over 20 years of expertise, we can plan and implement solid security solutions. This covers cyber security, multi-factor authentication, encryption, augmented anti-virus protection, and much more.
Plus, we can even audit your existing IT infrastructure to assess what you need to do to stay compliant. As a result of a security audit and review, we’ll provide your business with a full written report and advise you on your next steps. Micro Pro is here to plan and implement a robust strategy that will keep your business safe and keep you compliant in the future.
Why not get in touch to find out more? We’d be more than happy to talk you through it all.