Most companies hate dealing with the GDPR, and we can understand why. The rules can be confusing, especially for smaller companies with no in-house legal staff.
The Danish data protection authority recently published a nice GDPR checklist for smaller businesses.
It is not meant as an exhaustive checklist but rather as a starting point to assess the compliance of your business. Still, the list contains some good tips and is well worth glancing over.
Let’s dive in!
- Have a clear picture
- Ask yourself: why do I have this data?
- Delete your data
- Provide information about the data you process
- Have sound, clear procedures for handling requests
- Take care of IT security
- You are responsible for sharing personal data
- Conclusions
Have a clear picture
The first step in complying with the GDPR is knowing what you do with your data. This is why the DPA recommends starting by asking yourself crucial questions:
- What personal data do I control and process?
- Whose data is it? Is it your employees/customers/users?
- Where are these data stored?
These questions may seem trivial, but they are not. Many companies only have a very vague idea of what data they handle and how, including larger ones (I’m looking at you, Meta).
Understanding your data processing is an indispensable first step towards compliance and a basic requirement for good data governance. This is why keeping a record of processing activities is a legal requirement for larger businesses under the GDPR (as well as smaller businesses that engage in somewhat higher-risk data processing).
Whether you are not required to keep a ROPA or not, you should have a clear overview of your data processing. A clear and accurate picture highlights possible compliance issues and opportunities to improve and streamline your data processing. It also helps to respond to access requests under the GDPR because you already know where the data is stored within your systems and how to retrieve it.
If you want to go a step further, you can map your data flows. We touched upon data mapping a while ago to give our readers a very general idea of what data maps look like and why they are useful for both compliance and data governance.
Ask yourself: why do I have this data?
Whenever you control personal data, you should ask yourself: Why do I have this data? If you find a good answer to the question, you probably have a legal basis under the GDPR.
Legal bases are a crucial notion we already discussed a while ago. The GDPR requires every processing of personal data to have a legal basis- essentially a legal justification of sorts. The GDPR offers six legal bases to choose from, such as consent, a contract, or a legal obligation.
The DPA summarized the available legal bases as simple questions you should ask yourself:
- Do I have the consent of the person the data refers to - the so-called data subject? (consent)
- Do I need the data to fulfill a contract with the data subject? (performance of a contract)
- Do I need the data to exercise a public authority or to pursue a task in the public interest? (public interest or public authority)
- Am I required by law to store these data? (legal obligation)
- Do I have another good reason to process the data? If so, can the processing cause harm or problems to the data subject? (legitimate interest)
(Yes, those are five questions- the legal basis of vital interest was left aside because its use is very exceptional)
Needless to say, things are more complex than that. Each legal basis has its own limitations and requirements. For instance, consent must be freely given, which rules out reliance on consent in some scenarios, such as processing employee data. Balancing legitimate interest is also more complicated than asking yourself whether you can harm someone by processing their data (you can check the UK ICO for more information about this).
That being said, compliance begins by asking the right questions, and the above ones make for a good starting point.
You should also know whether you are processing sensitive data or not. Sensitive data are very sensible types of data such as health data, ethnic origin, political beliefs, and data about someone’s sexual life and orientation (the complete list is found in Article 9 of GDPR).
Sensitive data receive special protection under the GDPR. Having a legal basis is not enough to lawfully process them because stricter rules apply compared to common personal data. If you process sensitive data, you may need professional advice on how to comply with privacy laws.
Delete your data
You should delete personal data as soon as they are not needed anymore. This is the storage limitation principle in a nutshell.
Deleting unnecessary data (and not collecting it in the first place!) is both a requirement under the GDPR and a good idea in general. Erasing unneeded data allows you to free up some storage space. It also keeps your archives smaller and tidier, making it easier to find the data when needed.
The GDPR does not allow you to keep data because it might be useful someday. Only collect and store the data you need now or in a specific and likely future scenario. Your DPA won’t let you store personal data for decades until we have some incredibly cool future AI to do incredibly cool things with.
Datatilsynet explains that there is no fixed data retention period under the GDPR. The decision is up to you because you know what data you need.
This does not mean that you can do whatever you want. If your data retention periods are unreasonable, you violate the storage limitation principle and could be held responsible by a privacy authority or a court.
Provide information about the data you process
If you control someone’s data, you must inform them that you are processing them. This is also the case when you just keep the data stored because storing data is a type of data processing under the GDPR.
Under the GDPR, you must provide some information:
- Company name and contact information (including the contact information for your data protection officer, if you have one)
- What data you are processing
- Why you are processing the data, and on what legal basis
- With whom you are sharing the information
- How long you will store the information
- What data rights the reader has, and how they can exercise them
The Datailsynet’s list is a nice and readable summary of what is required under Articles 13 and 14 of GDPR. This information is your privacy notice (often referred to as a privacy policy- although the two are not exactly the same).
You must provide your privacy notice in clear and accessible language. Leave legalese aside and explain to the reader what you do with their data, what rights they have, and how they can exercise them. This is trickier than it looks like, but it is a legal requirement.
A layered approach can help. A layered privacy notice features a first layer containing the most essential information in a very simple and readable form. This layer links to other pages or layers containing more in-depth information on specific topics- for instance, what safeguards you are implementing for data transfers, and what the data subject’s rights mean in practice.
Trying to cram all this information in one layer would make your privacy notice long and hard to read, so a layered notice can strike a nice balance between detail and accessibility- provided that you keep all the crucial info in the first layer.
Layered privacy notices are relatively easy to implement when you provide them online- think of the privacy notices on websites. In a different context, you can sometimes provide a short notice through other means and refer the reader to a web page for more information.
If you’re curious, our example cookie notice for Google Analytics can give you an idea of what a layered privacy notice looks like.
Have sound, clear procedures for handling requests
If you process someone’s data, they can exercise certain rights by forwarding a request to you. For instance, they may require access to their data, or they may require you to correct or delete it.
Procedures are very important for handling requests in both large and small organizations. In a smaller organization, requests are typically not handled by legal experts. Having a clear procedure in place for handling requests can clarify what the person responsible for handling requests is supposed to do.
(On a side note, smaller businesses may want to trust a single person with handling requests, as this makes it easier to keep track of them)
Larger organizations face different challenges. On the one hand, they typically have trained legal staff who know how requests should be handled. On the other hand, the same personal data are often processed by different teams and stored in different systems. So different teams need to work together to retrieve or erase data, and a clear procedure is crucial in ensuring coordination.
The Datatilsynet gives more good advice for handling requests. For instance, you should have a sound identification policy for access requests to ensure you don’t fall for impersonators attempting identity theft.
This is easier said than done, but as a rule of thumb, you should leverage personal data you already have whenever possible. For instance, if the request comes from a user of your website, you can ask them to provide their login details, and if they gave you their phone number beforehand, you can send them an authentication code to their phone. Do not ask for other personal information (such as ID) unless it’s strictly necessary.
Datatilsynet’s website contains more useful information on how to handle requests. If your Danish is not great, you can check out the UK ICO’s website as well.
Authorities deal with many cases around such requests, so we are not surprised to see them in Datatilsynet’s checklist. They are a common source of fines and legal troubles for organizations, so ensure you handle them correctly.
Take care of IT security
You must process other people’s data safely. To ensure this, you must worry about technical and organizational security.
Technical security is the stuff that comes to mind when people talk about IT security- firewalls, encryptions, backups, and so on. For small businesses, this can be simple but important things such as keeping all software up-to-date, ensuring a good antivirus and firewall are running, teaching the staff how to recognize phishing emails, and backing up the systems regularly.
On the other hand, organizational security is about regulating data access within the organization and ensuring that data can only be viewed by the staff members who actually need it. Smaller businesses probably don’t need a complicated authorization system.
However, it can still be a good idea to protect some data with a password or to create different accounts with different privileges on the same computer. The Datatilsynet suggests other important precautions, such as locking your screen when you leave your computer and ensuring that all data are erased from devices before you dispose of them.
Security obligations are proportional to the risks. You won’t need state-of-the-art data encryption if you only process billing information for your customers and employee data for their payrolls. On the other hand, organizations that process sensible data, such as medical or location data, can be held to higher security standards regardless of size and resources.
You are responsible for sharing personal data
You may want to share personal data for many reasons. Maybe you rely on a data processor for your email, HR software, or web analytics. Or maybe you want to share the data with someone else who will use it for its own ends- for instance, the way hospitals disclose data to research institutions.
Either way, you are responsible for the decision to share personal data. You must ensure that the data will be handled correctly after the disclosure and inform the people whose data you are sharing.
You also need to make sure that you are allowed to disclose the data in the first place. Go back to point number two and ask yourself: do I have a really good reason for disclosing the data?
Conclusions
That sounds like a lot to keep in mind. This is why critics of the GDPR say it places too big a burden on organizations, especially smaller ones.
There is some truth in this criticism. The GDPR tries to mitigate compliance burdens by limiting some compliance obligations to larger companies or cases where they are absolutely needed. Still, the rules are far from simple and can be tricky to deal with.
But some rules are needed. Processing personal data is inherently risky. A company should not stock and transport fuel without any safety standards. This is why there are safety regulations for these activities everywhere. The same goes for data processing: Right now, more and more governments worldwide are realizing the risks of handling personal data and setting privacy rules.
The best way to comply with these rules is not processing any personal data. But in most cases, this is simply not feasible.
The second best thing you can do is to keep data minimization in mind. We wrote about this already, and in a nutshell, data minimization means only collecting the data you really need. The less data you control, the less you need to worry about compliance.
We at Simple Analytics are very fond of data minimization. We built Simple Analytics to provide our clients with great analytics and insight without collecting personal data. This allows businesses to thrive while carrying out analytics in an ethical, privacy-friendly way. If this sounds good to you, feel free to give us a try!