TOP 5 steps to get started with GDPR compliance
GDPR compliance doesn’t have to be complicated. Get started with these 5 steps.
A research by GDPR.EU found that over 50% of SME’s were still not GDPR compliant as per May 2019. While the GDPR was mostly dreaded by (tech) giants, time has shown that the regulation is much more of a burden for small businesses. Most don’t have the budget to spend on data privacy and if there is some money available the priority usually is to put it into growth rather than something that is seen largely as an expense. Beyond lack of resources, business owners often don’t know what their responsibilities are and what they need to do.
The good news is, GDPR compliance doesn’t need to be complicated and expensive. Yes, you will need to invest your time and you won’t get around without spending anything, but it doesn’t have to cost the world. Plus, working on your data privacy operations most likely will allow you to increase efficiency in your operations and reduce risks.
We created a list of our TOP 5 steps you should take to get the groundwork done for GDPR compliance.
PLEASE NOTE: Following the 5 steps below won’t ensure you’re fully GDPR compliant and I’m not saying anywhere you will be. This list is to help you get started and build a solid base to work from with your privacy operations.
TINY SHOUTOUT: A tiny (and the only) promotion for our platform Palqee HERE. At Palqee our main goal is to offer Data Privacy Management tools that work for SME’s. Basic usage of all features is for free. You can get started with our Survey Manager. Please get in touch with me or through our website to learn more.
Now let’s get to it…
Step 1: Map out your data
The GDPR does make some exceptions here. If your business has fewer than 250 employees and your processing activities are not likely to create risk to the rights and freedoms of individuals (also called data subjects), you do not need to map out your data.
However, we highly recommend you to do it regardless. For the following reasons:
1) Mapping out and creating a record of your processing activities is the basis for almost everything else. Doing this will make all the other tasks easier for you. You will notice that when reading the next steps.
2) As you grow your business starting a data map from scratch will only get more complicated. Save your future self time and headaches.
3) The GDPR does give guidelines on what creating “risk to the rights and freedoms of data subjects” mean, such as whether or not you process large amounts of personal data on a regular basis (side note: anyone dealing with special data like medical information has to map out processing activities regardless of company size), but does not specify exactly what the threshold for “large amounts of data” is. Don’t guess and better be safe than sorry!
How do you map out your data and processing activities?
a) Decide on a format: Use what you feel most comfortable with — Excel, word, notepad.. whatever it is. We do recommend however that if you like hard copies to keep a digital copy too. This is to reduce risk of the hard copy getting lost and to be able to update it easily later on. There are lots of templates out there that you can use. The Information Commissioners’ Office (ICO), the Data Protection Authority in the UK, has shared an Excel template on their page to help you with this exercise. You can download it in the article here.
b) Write down your processes: Think about all the areas of the business where you process personal data AND for what purpose or reason. Make sure you include employee personal data as well. If you aren’t sure, speak to people in your company that know the department or area of your business well. E.g. do you track shopping behaviour of your clients for re-marketing, store candidates’ profiles for future reference, have CCTV in your shop to protect against shoplifting or analyse data from an IoT home device? Think about any personal data that relates directly and indirectly to an individual. Include information such as IP addresses and sensor data if you can connect the information with an individual.
c) Break it down: Once you’re confident that you wrote down all the processes in which you process personal data look closer and document the following:
- What data elements are processed in every process (e.g. name, age, gender, sensor data, location data, cctv footage, etc.)?
- Who’s data is it (e.g. Prospect, Client, Employee, etc.)?
- Who do you collect the data from (e.g. from individual directly, 3rd party?)
- What is the legal basis? If you’re unsure about this point, the ICO provides an overview here.
- Where do you store the data? On a local server or in the cloud? Maybe you use a system like Salesforce?
- Does the data “leave the country”? E.g. do the systems and products you use for the processing have their servers outside of the EU? If yes, where? Check their websites and privacy notices, usually you’ll find the information there.
- Who has access to the data? Think about who accesses the data and if there is a reason that person, company, entity need to access it.
- For how long do you keep the data? The GDPR requires to not keep data longer than needed for the specified process and purpose.
Step 2: Know your vendors and providers
Take a look at your data map. You should now easily be able to identify all external vendors and providers, such as software companies like Salesforce and cloud providers you may use but also businesses that fulfil services on your behalf, such as product shipping or your outsourced account management firm that manages all of your employees’ payments.
For each you need to have a Data Processing Agreement in place. As you decide what happens with the data, you need to agree and instruct the processor (your vendor/provider) on how to treat the data. This one isn’t optional for SME’s so here’s another very good reason to record and map out your processing activities to make sure you don’t forget anyone.
For big companies like the Amazons out there, it will be difficult to get a custom agreement. Those guys usually have a general Data Processing agreement on their websites or your account area. Download it and add it to your compliance records. For smaller vendors you work with, make sure you get a DPA signed. You can find a template agreement from gdpr.eu here. Store all of the agreements in a secure place and create a mechanism that will allow you to know if an agreement expires. It is your responsibility as data controller to keep them up to date.
Step 3: Know about data privacy rights and have a plan
As a resident of the EU you have certain rights when it comes to your data privacy. You have the (1) right to be informed, (2) right of access, (3) right of rectification, (4) right to be forgotten, (5) right of portability, (6) right to restrict processing, (7) right to objects and (8) right in relation to automated decision making and profiling.
In 90% of the cases you’ll deal with the first 4 and so this is what we’ll focus on. The right to be informed is largly covered in the next step “Step 4: Talk privacy with your stakeholders”.
The right of access is also often called a Data Subject Access Request (DSAR or SAR in short). It means that stakeholders can ask you any time to provide them with a report and the documents on all the personal data you hold about them and what you do with it, incl. excel files and even hard copies you have stored somewhere in the back of your office.
Right of rectification means an individual can ask for their data to be updated, maybe you have the wrong address or information about their age.
For the fourth one the name says it, right to be forgotten. Unless you have a legal reason that you need to keep certain data longer, an individual can ask for their data to be completely erased and you’re required to do so immediately.
I know I’m repeating myself, but again, your data map comes in really handy here. It will allow you to know at a glance where you have to look and go to, to respond to any of those requests. Instead of wondering what to do, the data map will tell you. This is already half of your plan. The other half is literally a document on which you note down steps you take to respond to each of those request. You need this for two reasons:
- When you receive a request you know what to do without freaking out
- You can show the required documentation in case the authorities knock on your door — which they could… whenever they want to
There is no need to make it unnecessarily complicated. A simple response guide that is easy for everyone to follow will do it. Save the report together with your other compliance documents so you know where to look when needed.
Step 4: Talk privacy with your stakeholders
Even if you don’t get 100% from the first steps right from the get go, make sure you talk to your stakeholders about why you access, use, process, collect, store, analyse etc. their data. Usually this is done with a privacy notice. You probably have seen many yourself already. They need to be made easily accessible and easy to read for an individual before using a service. E.g. before signing up for a newsletter, before installing an IoT home device and before entering a store (in this case probably a sign that indicates the store uses CCTV).
Unless you have legal expertise at your disposal, you’ll need to spend some money on this one. We also recommend you to not go with any of the free templates you can find online. A solid privacy notice needs a bit of investment, but it will let you sleep better at night and it’s a great way to help you build trust with your stakeholders.
Step 5: Register with the Information Commissioner’s Office (UK only)
This is the quickest and probably easiest step of all 5 and will take you about 15min. Step 5 is also only a requirement for companies based in the UK. You need to register with the Information Commissioner’s Office (ICO), the UK’s Data Protection Authority, and pay an annual fee. For the great majority of SME’s the fee is between £40 to £60 per year. So nothing too dramatic. Here the link to register and pay the fee.
This is it. The first 5 STEPS you should take to get GDPR compliant. Reach out if you have questions or contact me if you want to learn more about Palqee and how the platform can help you with GDPR compliance.