GDPR: Its role in small business

With GDPR coming into effect as of 25th May 2018, companies have found themselves frantically scrambling to meet the new European data protection regulations. For large organisations with disposable resources, and in some cases whole departments dedicated to data protection and privacy, the new laws don’t pose so much of an obstacle to be conquered as they do a mere inconvenience. Smaller companies, however, who can’t afford the luxury of time and resources may find the prospect of implementing these new policies a daunting prospect.

So what exactly is GDPR?
The law primarily applies to all EU member countries and the companies that reside within them or have dealings with those that do. It sets out guidelines that aim to protect the individual, also known as the data subject, rather than the organisation. Its primary focus is on personal data and in particular ‘sensitive’ data relating to the individual. It aims to allow data subjects to gain greater control over information held about them and create a more uniform regulation, spanning international business across the EU.

How can smaller companies cope with the new demands?
The best approach for smaller organisations to comply would be that of ‘compliance by default.’ It is considered the backbone of the regulation and the recommended method of compliance. In short, a company that implements simple steps into their normal working routine such as ‘Data Protection Impact Assessments’ and ‘Data Flow Mapping,’ and remedies any causes for concern raised by these, should be well on its way to compliance.

Smaller companies may be at a distinct disadvantage, especially when you consider the hefty fines that can accompany non-compliance (up to 4% of global turnover). However, the ICO does recognise this fact. Thus, organisations with 250 employees or less do not require the appointment of a Data Protection Officer (DPO) unless processing large-scale data or data that is highly sensitive. They are also likely to be more lenient, recognising smaller companies pose less of a risk to data protection.

Dispelling the myths
At first glance, there seems to be a wealth of new training opportunities and qualifications available, that would certify the owner as a GDPR professional. In fact, there are no recognised GDPR qualifications. These new training opportunities are created merely by companies seizing an opportunity and jumping on the GDPR bandwagon, capitalising on people not ‘in the know.’ There are plenty of information tools available online such as FREE webinars on YouTube and through the Information Commissioner’s Office (ICO):

https://ico.org.uk/for-organisations/business/

GDPR checklist
The checklist below is by no means exhaustive but should give smaller organisations a starting point for their research:

• Data processor or controller — Simply put, the controller dictates how data can be processed and therefore incurs more significant responsibility for it. The processor uses the data as prescribed by the controller but both are ultimately responsible for data protection.
• Conditions for processing — Specific requirements must be met to process data fairly. Justified, legal or contractual obligations are all good reasons for processing.
• Compliance by default — This is achievable if the following get incorporated into an organisation’s regular practice: Data Protection Impact Assessments (DPIA’s), Data Flow Mapping, Data audits, Data Breach Action Plans
• Consent — The data regulation defines consent as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”
• Right to erasure — Data subjects have the right to request data held about them is permanently disposed of correctly.
• Subject access requests — Data subjects can request any, and all information held about their person to be disclosed to them free of charge.
• Third party compliance — Companies must establish the working practices of their counterparts and ensure they also meet the new standards of GDPR.
• Data retention — Data must be relevant and required.

Redefining the jargon
As a development company, it is essential for us to reinterpret these rules to apply them to our everyday practices. Right to erasure becomes right to deletion from the system. Conditions for processing becomes stored data marked as restricted and only opened upon user consent. A subject access request becomes an ‘export data’ button, allowing the user to receive all information held about them with one click. Consent checkboxes will no longer be sufficient. Instead, individual boxes for each activity will be required.

Production data should be anonymous for testing and staging servers, to protect the innocent, of course. Knowing the encryption status of routes to and from third-party databases, servers, clouds and their data protection methods is of vital importance and can be achieved by a simple data flow map depicting how the data will travel and stored. It is these reinterpretations that will lift the ‘cloud,’ pardon the pun, on GDPR and allow for a smooth transition.

Author — Alex Bradley