Small businesses: GDPR affects you, too
Don’t think that just because you’re not a behemoth, they won’t see you
The EU’s General Data Protection Regulation (GDPR) comes into force on May 25 2018, enforcing a strict set of new rules concerning privacy and data security and imposing strict penalties on violators. Enterprises are having a tough enough time coping with it. How will small businesses with fewer in-house IT and legal resources fare?
GDPR affects anyone holding data on EU citizens, including those companies not in Europe. A survey of 1350 companies around the world by cybersecurity consulting firm NTT this spring found that a lot of them have no clue about this yet. You might forgive those overseas for not understanding that they’ll also be affected, but even Europeans seemed unaware. The Brits were the worst. 39% of UK companies realised that they were subject to the regulation.
The nitty gritty
So what does GDPR mean in practice, and what must small businesses do to get ahead of it? GDPR is a sprawling document, hundreds of pages long, but it changes requirements or creates new ones in several key areas.
One of the big concepts that GDPR morphs is consent. Companies already need consent to process someone’s data, but until now they only had to ask once, and that covered all uses.
Not any more. GDPR’s ‘unbundled’ consent means getting separate permission to use customer data for different things, such as marketing, maintenance, fraud checks and support. Documentation is also stricter: businesses must record when that consent was given.
Neither can service providers assume consent by 'pre-ticking' boxes and forcing people to untick them. Instead, they must make consent clear in legal contracts.
Right to erasure
Any consent a customer gives isn’t automatically forever, either. Another key change under GDPR is the right to erasure (sometimes called the ‘right to be forgotten’). It lets individuals withdraw consent, meaning that a company would have to delete any information it held about them.
Those concerned that their data is inaccurate can also restrict its processing instead of requesting its deletion, essentially freezing it while they sort things out.
On a related note, customers might just ask for a copy of their data rather than deleting it. Upon request, the data controllers (the company responsible for customers' data, a business must confirm whether they process an individual’s personal data and provide a machine-readable copy of it so that they can send it to another provider if they like.
GDPR also asks organizations to provide extensive supporting material as part of this process, including the categories of data that they are handling, along with the reasons for processing it. All of this must happen within a month of the request.
Portability and erasure could be tricky issues in a small business for both technical and organizational reasons. Firstly, they may not have the same kind of formalised process for handing data that some larger companies do. If your customer data is scattered across a selection of network folders, databases and individual PCs, you’ll have a tough time retrieving it for one customer. Now imagine if you get ten requests in a week.
The other issue is that GDPR’s third party requirement may be more likely to bite SMBs. A small company without a large, well-funded IT department is likely to rely more on third party data handling services than a larger company that can build things in-house. If services like cloud-based backup, third party order processing, outsourced customer support or SaaS application providers are storing and processing your customers’ data, that makes them ‘data processors’ in GDPR parlance.
A request to delete or reproduce customer data affects data processors’ systems, too. Small businesses will need to clarify their contracts with service providers, along with the processes for handling customer requests.
Data governance obligations
For years, experts have lamented what they see as a key failing in cybersecurity: the ‘adding on’ of security mechanisms after the fact, rather than the consideration of security at the design stage. The GDPR has specific provisions that promote security and privacy as a design principle.
Organizations must take technical and organizational measures to show that they have made their data processing compliant with the concept of privacy by design. GDPR specifically mentions encryption and pseudoanoymization – the process of separating personally-identifiable information from other data attributes to avoid security risks – as a means of achieving these design goals.
If a small business has been winging it without a grown-up IT department, they’ll need to source this technical expertise from somewhere to tackle these GDPR requirements.
Personnel and procedural changes
While these requirements all impose a hefty technology burden on companies, there are other measures that have a greater effect on organizational structure. The GDPR says that organizations must use privacy impact assessments for data processing activities that the Regulation defines as high-risk, including monitoring activities. They must introduce audits and policy reviews to continually assess their privacy compliance.
This means that GDPR is not a one-time, fire-and-forget project. Even if GDPR doesn’t mandate an official data protection officer (DPO) at your small business, you still need someone at the steering wheel who can be responsible for pushing all these security policies and procedures through.
Data breach notification
Finally, data breach notification becomes mandatory under the GDPR. Small businesses shouldn’t assume this doesn’t apply to them because they think that they’re unlikely to be hit. Firstly, all companies are fair game. Secondly, regulators will want to see a procedure for notifying local regulators (and, in some cases, customers) of a compromise.
Think that Brexit will rescue UK small businesses from all this hassle? Not so fast. The UK will fall under GDPR long before it leaves the EU, and in any case the UK needs to demonstrate equivalent rules if the EU is to exchange data with it. This must be one of the motivations for an impending national law – the Data Protection Bill – which will implement GDPR’s rules locally.
Gearing up for GDPR
So there’s a big burden for small businesses to carry – probably far more than they can cope with using the in-house resources available. Where should they begin?
The Information Commissioner’s Office (ICO) in the UK has created a helpful guide that lists the various steps that organizations should go through to ensure that they are ready for May 2018. Here are some of the important steps, aggregated and condensed for small business readers:
Assess data holdings
Audit the data you already hold and those held by third parties. This is a crucial step, so bring in a consultant to help you with this if you don’t have an internal data czar.
Review privacy communication, legal frameworks, and approach to consent
Assess how you communicate privacy information to data subjects, and document the legal basis what you’re doing with their personal data. You will need to explain this legal justification to individuals whose data you handle. Evaluate what you obtain consent for, and how you get it. Make any changes to systems and processes necessary to follow the new rules.
Review ability to subject access requests
Check existing procedures (and the technology that supports them) to see how you will cover individuals’ new rights under GDPR such as the right to erasure and the ability to port data. Prepare yourself to handle their requests for data access. Consider providing online options to avoid this becoming a manual drain on your time.
Revise approach to children’s data
The GDPR enforces protection for children, requiring a parent or guardian’s consent to process their data. Document processes relating to data collection for children, and adjust as necessary.
Prepare for data breaches
Ensure that you have the procedures in place to detect and investigate a data breach, and also to report it.
Review system privacy and introduce impact assessments
Examine existing systems that process high-risk data, and ensure that their design is based on sound privacy principles. Conduct privacy impact assessments for these systems to ensure that they support the requirements laid out in the GDPR.
Consider a data protection officer
Many organizations will need to appoint a data protection officer to oversee ongoing privacy arrangements. Check to see if you meet the credentials and hire one or find a external consultant if necessary.
Small business are generally resource constrained and have less margin for error than large enterprises, who often have a bigger cashflow buffer to tackle wide-reaching challenges like GDPR. Getting external help would be a good idea for a smaller firm wanting to toe the line. With less than a year to go, that isn’t a phone call you should put off any more.
This article was supported by Dell.
Sponsored: Becoming a Pragmatic Security Leader