The amount of sensitive personal data in the cloud grows exponentially by the day. At the same time, companies around the world are held increasingly responsible for keeping it safe. If you are just getting started on tackling GDPR compliance, or tweaking a few things as you go along, you may be wondering just how relevant the GDPR is for small businesses in 2021. And the answer is simple: more than ever before. Why? For starters, the number of total reported GDPR fines more than doubled in 2020 from $139 million to $332 million, with an average of 331 breach notifications per day.
In other words — just like their enterprise counterparts — if you want to be GDPR compliant, small businesses need to stay on top of what the legislation requires. But with 99 articles in the General Data Protection Regulation and a whole lot of legalese to wade through, becoming GDPR compliant can be difficult and it’s easy to get overwhelmed. That’s why we put together this beginner’s guide to becoming GDPR compliant in 2021 – so you can set off on your compliance journey with ease.
On this page, you’ll find:
- The definition of GDPR and who needs to apply it.
- The 5 steps to becoming GDPR compliant.
- A FREE downloadable checklist for storing and sharing GDPR compliant files.
What is the GDPR exactly
The General Data Protection Regulation (GDPR) is the cornerstone EU data privacy law that went into effect May 25, 2018. It was implemented to give individuals more control over how their data is collected, used, and protected online. On top of that, it holds companies accountable for securing sensitive information with a set of strict rules which determines what they can and can’t do with personal data. Finally, it mandates the use of technological safeguards for protection as well as more demanding robust and clear justifications for collecting it in the first place.
Who does the GDPR apply to
Even though the GDPR was created in Europe and is governed by the EU, it affects businesses all around the world. In essence, this legislation is applicable to any business that collects and processes personal data from EU citizens, regardless of the business’ physical location. It is as relevant for small businesses as it is for large enterprises, although there are some small exemptions here and there if your business has less than 250 employees. However, even if you have less than 250 employees, you still need to comply with the rules and regulations, as well as choose a data protection officer who will oversee how data is managed in your organization.
What happens to businesses that don’t comply with GDPR
Noncompliant businesses can face the following consequences: official reprimands from supervisory authorities, temporary or permanent bans on data processing, orders to restrict or delete data or suspend data transfers, and finally, significant fines. These heavy penalties can amount up to 4 percent of their global annual revenue €20 million, whichever is higher. Then there are the consequences which follow a data breach or noncompliance incident, which are significant business loss and reputational damage that can take years to remedy.
How to become GDPR compliant: a step by step guide
1. Find out what data you collect - and secure it
The first (and arguably most important) step to becoming GDPR compliant is understanding what kind of data you collect and where it lives in your company. Before you can secure sensitive information, you must know where it is and what happens to it throughout its lifecycle: auditors will not accept ignorance as an excuse for non-compliance.
Depending on the size of your business, you may also need to establish a processing register which shows what personal data is processed, for what reasons, where it is kept and for how long, and what security measures are in place to protect it. The GDPR also requires the use of encryption and other technological safeguards for storing information, as well as a privacy by design mindset.
Learn more about different types of encryption:
What is Zero Knowledge Encryption and why you need it from the services you use
2. Time for a risk assessment
Next, you need to fill out a formal risk assessment called a Data Protection Impact Assessments (DPIA). This is particularly a must if your company’s data processing activities are considered high-risk but would like to be GDPR compliant. The DPIA serves two purposes: first, to identify and mitigate the data protection risks of your business activities. And second, to demonstrate your compliance efforts from the start to regulators. There is no specific style you have to follow, so you can use the ICO’s suggested template, develop your own version, or outsource the process to a third party if you like.
3. Write (or update) your policies
Now that you have a better idea of your company’s current state of compliance and your game plan for mitigating future risks, it’s time to update your privacy, consent, and cookie policies. Your policies must be written in a very straightforward and understandable way, as well as be easily accessible to people. You also need to give individuals a clear way to opt out of providing their personal information if they would prefer not to, and the opportunity to request their data and ask that you delete it. Finally, it’s time to appoint a Data Protection Officer in your organization and communicate their name to the supervisory authority as the one responsible for managing these policies and overall compliance efforts.
4. Create an incident response plan
With the foundations of GDPR compliance in place, next you need to develop a solid incident response plan for if a data breach does occur. A data breach is the intentional or unintentional release of confidential information, which can happen for multiple reasons, such as cybercrime, human error, or technological faults.
As a small business, if a data breach occurs, you need to have detailed records of all events leading up to the breach which demonstrate how it was discovered and what you did to fix it, and how you will prevent similar breaches in the future. You also must notify the data protection authorities within 72 hours of finding out that a data breach has occurred. If the data breach could affect the individual freedoms of the data subjects, then you also need to inform them without delay.
* Note: if you are using an end-to-end encrypted file storing and sharing solution, then you won’t need to notify data protection authorities if there is a breach because the information that was released is not legible. The GDPR considers end-to-end encryption to be a robust security method for making sure data is inaccessible to unauthorized parties.
5. Audit your service providers - and choose overcompliant ones
This is where a lot of businesses drop the ball and an area that might even present the highest risk in your day-to-day operations. You need to go over your contracts with any third-party service providers (cloud storage tools, comms systems, payroll, performance management software to name a few) and sign data processing agreements which state that they have to manage your data according to your explicit instructions.
If they are not able to demonstrate their own GDPR compliance, this puts your business at risk; both in terms of compliance with the GDPR and cyber security concerns. When prospecting new vendors, keep an eye out for software which puts security first and is private by design, as this will make compliance much easier in the future.
Related reading:
Safest cloud storage for business of 2021: 9 best solutions
Understanding GDPR is complex and compliance seems daunting, but by taking on these first steps you’ll be well on your way to making sure your business can collect, store, and share information in a GDPR compliant way that both protects your customers and your business.