Business Law & Compliance

The 6 GDPR “need to knows” for small businesses

7 min read

18 May 2018

Much research has been dedicated to the upheavals needed to be ready for the May 25 GDPR deadline, with a report revealing only 21% of UK SME bosses are "very confident" that they understand all the regulations that apply to them.

Our recent report reveals one in four deem complying with legislation to be the current biggest challenge. But looking ahead to GDPR, it’s important to remember that this is actually an evolution, rather than a revolution: building on the current Data Protection Directive of 1995, rather than overhauling it.

Bosses need to understand the new requirements of GDPR, and review and update their own processes. The level of impact of the new regulation will depend on the sector a business works within, and how personal data is used. So as the deadline approaches, here is a checklist for small businesses.

1. Know your data protection definitions

Many of the key definitions under existing data protection laws will remain the same under. For example, “personal data”, “sensitive personal data”, “controller” and “processor.” A good understanding of these terms is a great place to start.

There are, however, some notable differences. Importantly, “processors” (organisations that perform a task on another organisation’s personal data as a service provider) will be given legal obligations for the first time. Small business bosses should understand the distinction between when they are acting as a controller and a processor, and are aware of their obligations where they do act as a processor.

SMEs should also note that GDPR makes no distinction between private and business activity; if an organisation deals with unincorporated businesses such as sole traders or partnerships, their data will be personal data, just as any data relating to shareholders and directors at incorporated companies.

2. Know your grounds for processing

Just as under previous standards, businesses must have lawful grounds for processing data, and it’s critical that small businesses understand what these are. Obtaining consent from the data subject is not the only grounds an organisation can use to process personal data; sometimes, it’s not the most appropriate either.

Small businesses may be able to use “legitimate business interest” ground when data is used in a way that individuals would reasonably expect, has minimal privacy impact, or where there is a compelling justification for the processing. SMEs could use grounds that the processing is necessary to deliver a contract that an individual wants to enter into.

Carefully consider grounds for holding data and be able to justify it if ever called upon to do so. Whatever grounds for processing a business relies on, it will need to be communicated clearly through a privacy notice.

3. Know what rights your data subjects have

Data subject rights aren’t a new phenomenon, but in some cases they will be expanded under GDPR, so it’s important to be aware of these obligations. To manage data subject rights efficiently, focus on correct and detailed fair processing notices, streamlining subject access requests and efficient procedures to manage “rectify and erasure” requests.

There is also an important change in emphasis when it comes to processing data under grounds of legitimate business interest. Previously, a data subject could only demand that data be deleted if they provided “compelling legitimate grounds”; however, under GDPR the data subject can object at any time, and it will be down to the controller to provide compelling legitimate grounds for processing the data.

Finally, small businesses should note an alteration to the process for responding to a subject access request (SAR) – a request from an individual for the information a business holds on them. Under GDPR a business will have 28 days, rather than 40 days, to respond, so SMEs must have robust internal processes in place.

4. Know your cyber security

Cyber security is a growing risk for small businesses. Two thirds were hacked between 2014-2016, according to the FSB. SMEs in every sector will use data in a variety of ways, both internally and for the delivery of external services like personalised communications. Information security is key to mitigating the risk of data breaches and to ensure a business is compliant.

GDPR includes obligations for businesses to carry out a privacy risk assessment to determine the level of risk of a particular activity, meaning that businesses will need to fully assess data processing activities to identify any that are high risk. Using this assessment, a small business can mitigate risks and take steps to protect data.

5. Know when to notify authorities of a breach

All organisations controlling personal data within the EU will be under a legal obligation to notify local data protection authorities after suffering a data breach that could cause harm to data subjects. The deadline for this is 72 hours.

Small businesses should conduct a review of current data security processes, to ensure the ability to identify a breach quickly, limit its impact and escalate the incident internally within that time.

6. Know your international data transfers

It won’t always apply for SMEs, but it is important to understand the rules applying to transferring data outside of the EU – including within the same company. There are Binding Corporate Rules, a mechanism for covering intra-company transfers around the world, which now have a legislative basis for the first time. These rules will be important for SMEs operating across borders.

Overall, GDPR is a positive and progressive change. Data will be a key driver for growth, and this legislation will ensure that the data businesses hold is protected and used consistently. It is a great opportunity for small businesses to overhaul data management strategy. Remember that GDPR is an evolution, not a revolution – and could even be a great opportunity.

Nicola Howell is senior compliance and privacy attorney at Dun & Bradstreet