The ultimate GDPR guide for protecting your small businesses

The GDPR is an extensive piece of legislation requiring organisations that store or otherwise process data of EU citizens or residents to abide by certain data protection rules and principles. Since the regulation came into force, companies must take the privacy of their customers’ data extremely seriously, or face a costly fine.

The GDPR is applicable to any organisation, no matter its size and the GDPR applies to non-European businesses in some cases. Anything that contains personal data, even something as small as an email address, counts as personal data for which the GDPR applies. The process of becoming GDPR compliant might feel overwhelming for small businesses, but it doesn’t have to fill you with terror! Just follow these 7 steps, and you’ll be able to secure yourself, your business and its sensitive information.

7 ways to comply with GDPR for small businesses

  1. Know your legal basis for processing data

  2. Keep track of your processing activities

  3. Write the necessary GDPR policies

  4. Make your website compliant

  5. Keep data safe

  6. Incident Response

  7. Help data subjects exercise their rights

1. Know your legal basis

You may have heard that you always need consent in order to process data, but consent is not the only legal basis your business can rely on. In fact, any one of six legal bases can be used and it’s up to you to decide which legal basis applies to your specific situation and processing activity. For most (small) businesses, your lawful basis for processing personal data under the GDPR will be either consent, performance of a contract or legitimate interest. For the other lawful bases under GDPR, check out this explanation by the UK’s ICO: Lawful bases for processing.

If you rely on consent, there are a few requirements that you need to follow with regards to obtaining consent from your data subjects.You will have to ask for permission in advance of the processing activity and the data subjects need to opt-in, rather than opt-out. You have to make clear that data subjects know what they’re consenting to and they need to be able to easily withdraw their consent. Check out this website for more information on consent: General Data Protection Regulation and read our article on The 7 elements of consent management next.

2. Keep a processing registry

Keeping track of your processing activities is an essential part of GDPR compliance for small businesses and large enterprises at that. It helps your business comply with one of the data processing principles which has to do with accountability: Demonstrating your compliance to your customers, your supply chain and the data protection authority.

Businesses should maintain a so-called processing registry that details what personal data is processed, how, why, for how long it is kept and what security measures are in place. The lawful basis for processing personal data from the first GDPR top-tip should also be recorded in your processing registry, for each piece of personal data your business processes. In order to fill out a processing registry, you will need to sit down (or stand up, a healthy work-habit that we can get on board with!) with your colleagues to identify how your company deals with personal data. It’s a good idea to appoint one member of staff that is responsible for GDPR compliance, so you can keep an eye on your progress as well as have a clear point of contact for external questions.

3. The GDPR policies small businesses need to have

Apart from your processing registry, there’s a few other GDPR policies small businesses need to have. We will go through those in detail in our upcoming article on the 7 GDPR policies small businesses need to have, coming soon. We will briefly discuss the most (in)famous GDPR policies, the privacy and cookie policy, below. (Of course, a cookie policy would be completely unnecessary if you don’t have a website or use cookies on your website, so for the sake of this article, let’s assume that you have a website that uses cookies to process visitors’ personal data in some way.)

These policies, that you may keep as two seperate policies or combine into one, have to do with transparency with regard to your personal data processing activities towards your (potential) customers and your supply chain. You can empower your data subjects through a clear privacy- and cookie policy that not only informs them, but also lets them know how they can fulfil their rights with regards to their data through a so-called Subject Access Request, or SAR (more on that below).

Your privacy- and cookie policy is designed to ensure that you abide by the law and that your data subjects know what you’re doing with their data, why you’re doing it, who has access to it, and that all of the above is communicated to them in a way that’s easy to understand. Simply put these policies on your website and regularly update them to make sure you comply with the GDPR on this front.

4. Website consent management: Did somebody say cookies?

We mentioned cookies earlier, when we talked about your privacy and cookie policy as two of the most (in)famous GDPR policies small businesses should have. Having a cookie policy is not enough to make your business compliant on the cookie-front. You also need to have a cookie banner in some way, shape or form.

What is a cookie banner?

In the same way that there are different types of cookies (chocolate-chip, macadamia, oatmeal-raisin), there are also different types of, well, cookies. Some enable your business to have access to your website visitors’ personal information, some don’t. For each non-anonymised cookie that your website uses, your business processes personal data. For those cookies, you will need to obtain consent from your website visitors and you can do that through a cookie banner.

A great way of obtaining your website visitor’s consent is through a consent management platform that lets you personalise your cookie banner and the user’s experience, keep track of consent and lets visitors very easily withdraw that consent. You can read all about consent management platforms in our article on The 7 elements of consent management, or have a look at this ICO cookie guidance in the meantime.

5. Keep personal data safe

Keeping data safe is a great way to comply with the GDPR, but how do you go about it? We will take a crash-course in privacy by design and get wise to the power of risk assessments.

What is privacy by design? Privacy by design is a GDPR principle that states that you must incorporate (or ‘bake in’, to keep to our cookie analogy) privacy into your processing activities and business practices. This simply means that you have to take privacy into account in everything you do, whether it’s something technical like building a website or an app, or something we all do on a regular basis, like emailing. How can you incorporate privacy by design into your business? By, for instance, deciding not to send a document containing personal information via email, but instead using a secure sharing platform. Or by enabling encryption (basically a lock to which only you have the key) on your laptops or your app. You will have to identify each area of your processing activities and business practises that might carry a risk for your data subjects and choose an appropriate measure to mitigate that risk. This is where a risk assessment comes into play.

What is a risk assessment and what’s in it for you?

A risk assessment is, as the name suggests, an assessment of what the potential risk might be for each processing activity and business practice that involves personal data from your data subjects. In this risk assessment, you will make an informed decision on how big the risk to your business and the data subjects is, and choose measures to mitigate those risks. Not only is carrying out a risk assessment a GDPR requirement, it will help you implement privacy by design and general cybersecurity into your business. Win-win.

If you want to read more about privacy by design, check out this article: Data protection by design and default.

6. Incident Response

As a small business, you’re legally required to have a good incident response plan, as if you didn’t have enough to do already! But not to worry, we will tell you what to do in just one or two short paragraphs. When it comes to incident management in a small business, it is good to make a distinction between an incident and a data breach.

An incident is an event that impacts your communications or information processing systems, but not necessarily impacts personal data. A data breach is an incident that impacts the confidentiality, integrity or availability of personal data. The GDPR is only concerned with data breaches. In order to be GDPR compliant as a small business when it comes to data breaches, you need to follow a few simple steps:

Keep detailed records of all events leading up to a data breach, the way it was discovered, what measures have been taken to resolve the data breach, whether or not the data breach has impacted data subjects and the measures taken to prevent it from happening again in the future.

Even if you don’t have all the details of the data breach yet, you must notify the data protection authorities of the data breach within 72 hours of becoming aware of it;

If the data breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, you must inform the data subjects themselves without undue delay.

7. Help data subjects exercise their rights

The other rights data subjects have are the r