According to every statistic I’ve read, there is still a huge chunk of business owners who have not even read the GDPR yet, let alone done anything about it. To be clear; no matter the size of your business, you have to comply.
For example, Core Concept Security Ltd. (my company) is very small, but even I have to pay a ‘Data Protection Fee’ and sort out my contracts and privacy notices. What I DON’T have to do is:
- Designate a data protection officer (DPO) – Article 37, because I meet none of the criteria in 37(1)(a-c); or
- Produce a ‘record of processing’ – Article 30 because my company is under 250 employees and I do not meet any of the 30(5) criteria.
I know all of this because I HAVE read the GDPR, I HAVE sorted out my contracts and privacy notices, and I HAVE paid my data protection fee. There is no excuse I have heard to date for EVERY other small business not to do the same.
Follow these steps, and you’ll have done the most important thing imaginable; something:
- READ THE GDPR! – As I’ve said over and over again, there is no reason for everyone, especially business owners, not to have read it at least once. It does affect you, and the consequences for ignoring it can be severe. Ignorance is not an excuse for disobeying the LAW;
- Pay your Data Protection Fee (if applicable) – This is a no brainer, just go here (or your country equivalent); Data Protection fee: A guide for data controllers, take the self-assessment, and pay the applicable fee. The ICO are already passing out fines for not paying this fee;
- Determine if you need a DPO – This one is simple; do you meet any of the criteria laid out in 37(1)(a-c). If yes, follow the ICO’s guidance; ‘Data Protection Officers’;
- Determine if you need to maintain a Record of Processing – A little more complicated, but the criteria in Article 30(5) are fairly clear with the exception of “processing is not occasional”. I work on one contract at a time, so I consider this ‘occasional processing’, but if processing data IS your business then you’ll have to record it. Explained in detail in the ICO’s ‘How do we document our processing activities?’
- Data Processing Agreements (if applicable): If you are in business you have clients and you may or may not have suppliers. In each case, and depending on the nature of your business, you will likely need to create an addendum to all of your contracts. Type “sample data processing agreement gdpr” into Google and you’ll get over 12 million hits. One of these free samples will be good enough for your business with a little tweaking, or you can buy some established templates;
- Update your Privacy Notice and Cookie Policies on your Website – While cookie policies relate more to the upcoming ePrivacy Regulation, you can still get ahead of the game. Got to https://ico.org.uk/global/privacy-notice/, and https://ico.org.uk/global/cookies/, copy what they have written into a Word document and make any necessary changes/additions/deletions. If these are good enough for the ICO they are good enough for the rest of us. While having an initial pop-up banner that allows you to fully manage your cookie preferences is a nice to have, it is not mandatory. You will still need to be very clear what you’re doing up front and in plain language, but this can be a function of your web page, not necessarily a paid-for plugin or third-party service;
- Document your Technical and Organisational Security Measures (Article 32) – A lot to ask for from most businesses, but you can never claim to have taken data protection seriously unless you can demonstrate appropriate data security. In my article GDPR: Reporting Your “Technical and Organisational Security Measures” I have broken this down. It will be too much for very small organisations, but you need to understand at least the language and do what parts you can (especially policies);
- Keep Reading! – The GDPR has been enforced for 8 months now and the ICO has updated its guidance almost on a daily basis. Subscribe to the ICO’s feeds and stay up to date with the evolving requirements.
I have spent £0 on achieving [self-‘certified’] GDPR ‘compliance’ for my business, but have spent a hell of a lot of time learning how to go about it. You don’t need to go as crazy as I did, there is plenty of appropriate free guidance out there, but you still have to go get it.
Don’t do nothing, that’s really the only thing that will get you into serious trouble.
[If you liked this article, please share! Want more like it, subscribe!]