25 May 2018: the new European GDPR framework is only a couple of months away. What will change for you as an SME, and how can you make sure you’re fully compliant with the new requirements?
This quick checklist will help you out.
Disclaimer: it’s key to emphasise that by implementing these listed actions, Teamleader doesn’t guarantee that a company acts 100% privacy-compliant. Teamleader offers purely tips and advice on the GDPR. As a result, this content is provided for informational purposes only and should not be relied upon as legal advice or to determine how the GDPR might apply to you and your organisation.
How SMEs should prepare for the GDPR
1. Know your data
To comply with the new legal framework, you’ll first need to understand the types of personal (e.g. names, addresses) and sensitive data (e.g. health details) you currently hold:
- Where does this information come from?
- How did you acquire it?
- How do you plan on using that data?
Organise internal audits on your data streams to map what’s in place, and what still needs to be adjusted to the new regulation. Be sure to have a legal scan of your legal documents and update them accordingly.
If you shared inaccurate or outdated personal data with another organisation, you’ll need to inform the other organisation about the inaccuracy - so it can correct its own records. That’s one of the main reasons to map what personal data you hold.
2. Ask for explicit consent to gather data
Under the new GDPR, consent for gathering data must be given freely, and must be specific, informed and unambiguous. Consent cannot come from silence, pre-ticked boxes or inactivity. This also means you’ll need to check how you’re currently asking for permission to gather data. In other words: revise your existing methods to ensure you meet the new GDPR standards.
The GDPR gives individuals specific rights to withdraw their consent. You need to inform people about this right, and offer easy ways to withdraw their consent at any time.
Consent will also be an important factor for any emails you send out. For commercial emails (e.g. promotional offer, discount) to non-customers, you’ll need to add specific opt-in buttons to allow people to confirm their subscriptions. If people have not given explicit consent, you won’t be allowed to send commercial emails. Non-commercial emails (e.g. holiday greetings) or e-mails to customers will only require an opt-out (the option to unsubscribe to those emails).
3. Communicate how and why you’re collecting data
To your customers, you’ll need to communicate:
- how you’re collecting data;
- why you’re processing their data;
- how long you intend to store that data (you can’t hold data longer than strictly necessary).
You should document this information in your privacy declaration. This privacy declaration must at least make reference to the GDPR, and contain information about:
- which personal data is collected;
- how it is collected;
- the purpose of processing;
- the data retention period;
- the rights of the data subject;
- your complaint procedure;
- your data transfer process to third parties.
4. Train your employees
Organise internal information sessions to help co-workers grasp the impact of the GDPR on your business. Your awareness program should be an ongoing process that is reinforced regularly throughout the year, and that is documented for new hires that join later on as well.
Don’t forget to update documents and procedures for internal use, such as:
- Laptop, social media and internet policy
- Employment contract
- Work regulations
5. Show evidence of compliance
The GDPR framework requires you to show evidence that you’re complying with regulations:
- Identify the lawful basis for your processing activity
- Document your procedures
- Update your privacy notice
You should also modify your Terms and Conditions and/or the agreement closed with your customers. Lastly, close a data processing agreement (DPA) with data processors and, if needed, with sub-processors.
Note: a data processor is any person (other than an employee of the data controller) who processes data on behalf of the data controller. Examples include payroll companies, accountants and market research companies. Cloud providers are also generally data processors.
6. Have a system in place to delete personal data
As from May, you should have a system in place to delete personal data once the legal retention period has passed, or when data subjects ask you to. People have the right to withdraw their consent at any given moment: the right to erasure (or the ‘right to be forgotten’) is a key principle of the GDPR.
More specifically, you will need to delete data if:
- The personal data is no longer necessary in relation to the purpose for which it was originally collected
- The data subject withdraws consent to processing (and there is no justification or legitimate interest for continued processing)
- Personal data has been unlawfully processed
7. Create a crisis management plan
Every business needs to have a data breach plan. Once a data breach occurs, you’ll have 72 hours to report to the relevant data protection authority in your country and, in some cases, will need to inform the individuals involved. This timeframe could be even more strict in certain countries. This means you won’t have time to think about steps to be taken once a breach actually occurs - so thinking ahead is key to avoid legal penalties.
In preparation of the new framework, you should put procedures in place to detect, report and investigate incidents like these. Make sure the people you work with understand what personal data breaches are, and ensure processes are in place to detect red flags right away.
8. Manage access procedures
Your servers and the personal data you keep should be inaccessible to anyone without the right credentials. Also, data subjects will have the right to access all their personal data, rectify inaccuracies, object to processing in certain circumstances or erase their data - all within the deadline of 30 days instead of 45 days.
If you handle a large number of access requests, consider developing ways to deal with those requests more quickly, and the implications this would have on your workload. You could check whether it’s feasible to develop a system for individuals to access their information online. That’s also what official GDPR bodies in most countries recommend.
9. Data protection for minors
May 25th 2018 will also introduce special protection for children’s personal data. The GDPR states children under the age of 16 can’t give lawful consent because they “may be less aware of the risks, consequences and safeguards” of sharing data. If your business offers online services to children and relies on consent to collect information on them, you’ll now need a parent or guardian’s consent in order to process their personal data lawfully.
Note: EU countries are allowed to decrease this age limit up to the age of 13. Belgium and France, for example, will change this age limit to 13.
10. Check whether you need a Data Protection Officer
You may need to assign an internal Data Protection Officer to oversee your strategy and compliance program. While this isn’t mandatory for the majority of SMEs, the Article 29 Working Party recommends all businesses to appoint someone as a matter of good practice.
You don’t have to hire a full-time employee per se - a DPO could also be an external consultant, or a co-worker taking on an extra role aside from day-to-day responsibilities. But make sure that person has the knowledge, support and authority to carry out the DPO role effectively.