In our previous articles, we’ve looked at some of the background and the basic principles behind the new EU General Data Protection Regulation, or GDPR.
In this, the start of a series of follow-up articles, we will look at the specific steps that you can take to make your small business GDPR compliant.
We’re going to break this down into 4 actionable steps:
- Determine what ‘personal data’ your business handles
- Identify in some detail what you do with that data
- Determine whether your current use of the data would be considered lawful under the GDPR
- Implement a plan to ensure ongoing compliance with the regulation
1. What ‘personal data’ do we process?
Perhaps the most important part of the process of making your business GDPR compliant is understanding your use of personal data in the first place. It’s very much in your interest to get a real grip on the concept of what constitutes personal data before you progress to the next steps – after all, this is not a process that you will want to have to repeat unnecessarily.
In our article on identifying ‘personal data’, you will discover that the GDPR’s definition is very broad – almost certainly broader than a normal everyday interpretation – and therefore it’s probably wise to start from the position of assuming that all data relating to an individual is going to be considered as ‘personal data’ unless you specifically determine otherwise.
We’ll look at a suggested process of how to audit your business for personal data, and then use that information as the starting point, not only for the next steps in becoming GDPR compliant, but also as part of your ongoing process for demonstrating your compliance.
2. What do we do with that personal data?
Once you’ve established the types of information your business collects and processes that are likely to be considered ‘personal data’ under the GDPR, the next stage is to fully understand what your business does with that data.
- Where is it stored?
- How is it stored?
- Who has access to it?
- How long do you keep it?
- And so on
It’s only when you can confidently state how your business processes data that you can go on to ensure that the processing of that data is lawful under the GDPR.
3. Is our processing of this data ‘lawful’ under GDPR?
The GDPR is quite clear that you must have a legitimate ‘lawful basis’ for processing people’s personal data.
The regulation goes on to list six different categories – effectively the acceptable grounds for processing the data – and you will need to ensure that for every different type of personal data you process, you can point to one (or more) lawful basis that legitimises the way you are processing data.
Conceptually, some are obvious – most notably, that you have the data subject’s specific consent to process that data. But be warned, there are some hoops to pass through before any consent is seen as valid, so don’t think it’s an easy way out. Sometimes, it will be in your business’s interest to demonstrate another lawful basis for processing data.
In our article on determining the lawful basis for processing your data, we will look at what we consider to be the lawful bases that small businesses are most likely to rely upon, as well as the pitfalls to avoid.
4. A plan for ongoing GDPR compliance
We strongly recommend that you don’t look at this as a one-off ‘box ticking’ exercise. GDPR compliance is going to be a mindset challenge for a lot of small businesses, because one of the key objectives of the new regulation is to encourage ‘privacy by design’ – i.e. building privacy considerations into all of your business processes from the outset.
It’s this type of planning that will not only help you towards GDPR compliance, but also towards operating a more streamlined, credible business more generally.