GDPR for SMB
General Data Protection Regulations:
Context: The more data gets combined and aggregated, the more substantial the personal data becomes and the more difficult it becomes to de-identify and the higher the risks and responsibilities.
Here we will look at the main GDPR focus areas to consider:
1) Personal Data (Information Audit, understand what you have and how it’s used)
Includes but not limited to:
Name, Address, unique identification numbers, Demographics, Behavioural data, Social data, Sensor data, User generated content, CCTV.
Although only concerned with personal data, even if the data is anonymized and can be tied back to an individual, then even this information can be deemed personal.
2) The 3 Data Definitions (Who has what responsibility for what data)
This is to recognise that not all organisations involved in the processing of personal data have the same degree of responsibility.
1. The Data Subject: Your customer or your employee. This is who will be protected.
2. The Data Controller: Likely to be your business where you will be responsible for the data usage, how it's handled and what happens to it.
3. The Data Processor: The entity that processes personal data on behalf of the controller such as marketing, accounting, finance and HR services.
Going forward, prior to May 25 2018, you will need to ensure your General T&C’s (Subject), Employment Contracts (Controller) and any agreements with 3rd Parties (Processors).
3) Data accountability and protection (Ensure procedures are reviewed and updated)
The new accountability principle in Article 5(2) requires you to demonstrate that you comply with the principles and states explicitly that this is your responsibility.
You will also be responsible for the data you hold and need to demonstrate that it complies to the Data Protection Authorities (DPA's).
You also need to make sure the Data Processors effectively protect your data.
4) Consent (Update all websites and legal documents and include checking systems/processes adhere to GDPR requirements)
You need to ask for permission, not forgiveness. Simple T&C's & plain language for how personal data will be used.
Data Subjects must be able to withdraw consent at any time, possibly using the same interface they use initially.
5) Fundamental Data Subject rights (Ensure all website T&C’s, agreement T&C’s as well as other legal documents are reviewed to adhere to GDPR)
1. Portability: Provide all data on a subject when requested in a portable format.
2. Access & Modification: Subjects must be able to access and modify their data.
3. Right to be forgotten: Subjects can request for their data to be erased.
6) Fine levels (IT provider: Cover data loss and data loss prevention, patching, breach detection and notification
The GDPR introduces a duty on all organisations to report certain types of data breach to the ICO, and in some cases, to individuals. You only have to notify the ICO of a breach where it is likely to result in a risk to the rights and freedoms of individuals – if, for example, it could result in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage.
You should put procedures in place to effectively detect, report and investigate a personal data breach. You may wish to assess the types of personal data you hold and document where you would be required to notify the ICO or affected individuals if a breach occurred
• 10M EUR or 2% global turnover: Failure to comply with technical and organisational requirements such as impact assessments, breach, communications, and certifications (See articles 83(4))
• 20M EUR or 4% global turnover: Failure to adhere to core principles of data processing, infringement of personal rights, or the transfer of personal data to other countries or international organisations that do not ensure an adequate level of data protection (See article 83(5)).
“If Talktalk's data breach fine (£400k) was under GDPR, it could have been £70M”
7) Data Breach (IT Provider: compromised network flagging)
A personal data breach means a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This means that a breach is more than just losing personal data.
You only have to notify the relevant supervisory authority of a breach where it is likely to result in a risk to the rights and freedoms of individuals. If unaddressed such a breach is likely to have a significant detrimental effect on individuals – for example, result in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage.
8) Data Protection Officers (DPO) (Full time, Service / Consultant or Voluntary DPO)
The DPO will be the Data Controllers and Processors who comply with data protection law and avoid the risks that organisations face when processing personal data.
Firms with over 250 employees must employ a Data Protection Officer (DPO). This person is responsible for ensuring that a business collects and secures personal data responsibly.
GDPR will also apply to small businesses under 250 employees if the processing carried out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as defined in (See article 9)
9) Appropriate Training
There will be a requirement to provide 3 types of training regarding GDPR to make sure you have the bases covered:
1. Awareness raising and training of staff in processing operations
2. Data Protection Training to users who have permanent or regular access to personal data
3. Ongoing Monitoring of training and induction training
This is about keeping the general user awareness around Data and IT security and to build strong best practices with the users.