How To Adapt Your Company to the Requirements of the General Data Protection Regulation and Avoid Trouble?
As of 25th of May, the General Data Protection Regulation (GDPR) sets out requirements for all entrepreneurs and self-employed persons targeting EU citizens.
The regulation aims to improve the personal data protection of EU citizens. Even though the control mechanisms are not yet clear, the expected fines are drastic: 4% of turnover, or up to 20 million euros.
What does GDPR establish? And what can small entrepreneurs do to make sure their business complies with GDPR? We prepared a brief summary for you.
Whom Does GDPR Apply To?
GDPR applies to any person, either entrepreneur or self-employed, who processes (uses) the personal data of EU citizens (data subjects). Personal data is any information that permits lawful identification of a specific person. GDPR applies to anyone who is entering into contracts with individuals, issuing invoices or using any personal data, such as name, surname, contact information, date of birth, etc., in any other way. The regulation also applies to the personal data of contracted employees.
Essentially, all entrepreneurs use personal data as it is impossible to enter into a contract or issue an invoice without them.
What Does GDPR Establish?
GDPR establishes certain rights for EU citizens who provide their personal data when, for instance, applying for services or making purchases, and certain responsibilities for the people processing (using) this data.
Under GDPR, people with rights in regard to their personal data are called data subjects.
Introducing clear, transparent and available data processing principles
If your company has several employees, you need to develop the company’s internal data processing rules that set out mandatory requirements for the company and its employees. This document will serve as the company’s guidelines for complying with GDPR and establish the responsibilities of the employees processing data. It doesn’t matter if it’s one or several A4 pages, as long as it includes the key information. After reading this article, you will be able to develop such rules for your company on your own.
The document or page containing data processing principles should include answers to the following questions:
- What data are collected?
- What purposes are these data used for? (Order processing, product delivery, accounting.)
- Who else has access to the collected data? (An accounting firm.)
- In what cases can data be shared with third parties (and which parties)? (Partners, law enforcement authorities, protection of the company’s interests, etc.)
- How are data stored and protected? (In a Mozello or Google cloud.)
- How long are data retained for?
- What are the rights of data subjects? (See below.)
The information should be well-structured and presented in plain language, avoiding legal jargon.
To do: develop your company’s data processing rules and data processing principles relating to customers and publish them on your website or include them in your contracts. When in doubt, consult a lawyer.
Obtaining mandatory consent for data processing from users
From now on, you can’t collect any personal data without the user’s consent that is given by a clear affirmative act, such as signing, ticking a box or providing an oral statement that they agree to the processing of personal data according to your data processing principles. Moreover, you have to be able to demonstrate this consent. Pre-ticked boxes or automatic consent to the processing of data is unacceptable.
To do: make sure your online store and/or contracts ask customers to consent to data processing.
Avoiding excessive data (data that have no legal grounds for processing)
You can only request data that are necessary for fulfilling customers’ requests or legal requirements, such as issuing an invoice or delivering goods.
For instance, mandatory provision of date of birth, sex or identification number when completing purchases online, is forbidden.
Remember: if you hold data that you have no legal grounds to process, you need to delete such data.
Avoiding additional activities that users have not separately consented to
If a user has not separately applied for receiving e-mails that are not a part of service or product delivery, you are not allowed to send such e-mails.
So, if your company is selling handbags, you can send your customers the respective invoice and purchase details, but you are not allowed to send them special offers later on if they have not consented to it by ticking a box or filling out a form for receiving special offers.
Remember: if you want to continue sending out marketing e-mails, make calls about special offers or perform any other activities, you have to ask your customers separate consent first and record when and how the consent is given because you might have to demonstrate it.
No mandatory or automated consent for secondary data processing purposes
Data processing activities that are not related to the main purpose of processing, such as purchasing goods or services, cannot be included in the data processing policy as mandatory.
For example, if you are selling a handbag, you cannot ask the customer to automatically consent to receiving special offers. This consent has to be obtained separately.
Storing data only for as long as it is necessary for the data processing purpose the consent was given for
Data should not be stored for longer than necessary for the data processing purpose, such as delivery of goods or services and preparation of the respective accounting documents. When the customer’s / data subject’s data is no longer necessary, it has to be deleted.
To do: delete all data of customers that you are no longer providing services to. Delete all accounting data as soon as they are no longer necessary according to law. Organise your accounting records and identify documents that can be deleted. Organise databases and customer registers and delete the excess data that is no longer needed.
Ensuring adequate security of data processing
Personal data should be stored, ensuring adequate security measures. For instance, customer database, contracts, contact information or any other information containing personal data should not be stored unencrypted on a computer that is not password protected. Also, all accounts and devices should have secure passwords and reasonable data security measures in place.
To do: there is nothing simple about IT and ensuring bank-level data security is nigh impossible for small entrepreneurs; however, you should take care of data security to the best of your ability and avoid mistakes that could be interpreted as gross negligence. If necessary, hire a data security officer.
Mandatory notification of data leakage
Notifying data subjects about any data leakage is mandatory. For instance, if the data processor’s server has been broken into, the computer containing customer contracts or the folder containing customers’ contact information has been lost, you have to notify the individuals whose data might have been leaked within 72 hours.
Remember: if you have lost the personal data of customers, you have to notify them within 72 hours.
Keeping data up to date and accurate
It is the responsibility of the data processor to ensure that customers’ personal data is accurate and up to date. Customers have to be given the opportunity to verify and update their personal data held by the processor.
In most cases, data quality won’t be a problem, as customers will request changes as soon as they notice any inaccuracies, but you should be aware that this is a possibility.
Respecting the rights of data subjects
According to GDPR, data subjects have several rights, which include:
- Right to access personal data – data subjects may request access to their personal data, as well as full information on when, where, how and why their personal data are stored and used.
- Right to rectify personal data – data subjects may request the rectification of their personal data.
- Right to be forgotten – data subjects may request the deletion of their data, and such requests must be respected unless they contradict the law.
- Right to restrict processing – data subjects may request their data be preserved but their use stopped.
- Right to object to data processing – data subjects may object to the processing of their personal data.
- Right to withdraw consent – data subjects may withdraw their consent to data processing; furthermore, it shall be as easy to withdraw as to give consent.
- Other rights under GDPR.
Remember: it is good practice to inform customers of these rights, by including them in data processing principles, and to ensure the implementation of these rights.
Checklist: What Can Small Entrepreneurs Do?
It all sounds like a bureaucratic nightmare. Where do I begin? What do I do?
Roll up your sleeves and take it step by step. Here’s a short checklist:
1. Make a list of
- individuals whose data you collect (such as customers, employees, etc.)
- personal data you request
- personal data you store
- data storage locations (such as computer, cloud, e-mail, server, USB stick, etc.)
- partners you share the data with (such as accounting firms, suppliers, etc.)
2. Delete the data you no longer need.
3. Stop requesting and processing data without legal grounds.
4. Make sure that all data storage locations are sufficiently secure.
5. Develop the company’s internal data processing rules in accordance with the requirements of GDPR and introduce all employees with access to personal data to this document.
6. Develop the company’s data processing policy according to the above-mentioned GDPR requirements and publish it on your website.
7. Make sure that you obtain consent from data subjects (such as ticking a mandatory box when making online purchases).
8. Inform customers, employees and partners about changes in data processing.
9. Obtain separate consent from customers in regard to secondary data processing purposes, such as receiving marketing e-mails. If such consent is not obtained, you have to stop secondary data processing activities after 25 May 2018.
Even though we are not lawyers and this article cannot be considered legal aid, based on common sense, the above-mentioned principles and activities are the main things that you have to be aware of in order to prepare your small business for GDPR. Considering that GDPR is a rather complicated bureaucratic document that permits various interpretations and is not completely unambiguous event to experts, we cannot promise that the above-mentioned information will be enough, but it will definitely be a good start to introducing GDPR.
For more information, visit the the official GDPR website.