By now, most company owners will have heard more than they want to about the General Data Protection Regulation, commonly referred to as GDPR.
Since 25th May 2018, businesses that process personal data relating to data subjects in the European Union (EU) are subject to the General Data Protection Regulation (GDPR) regardless of their size or location. The likelihood is that most small companies maintaining a database of customers, employees, and/or business contacts will be required to comply with GDPR. Processing personal data means essentially any operation that is performed on personal data, (storing, sharing, deleting, collecting, modifying are some examples of data processing).
So, what does GDPR mean for companies with less than 250 employees? Practically the same as it does for large enterprises and organizations. If your business processes Personal Data or Personally Identifiable Information (PII) in the US, which is data that can be used to identify specific individuals, the business is subject to the rules of GDPR – even where the data is manually maintained on a structured paper based format.. Due to the substantial potential penalties for breaches of GDPR, the safest option is to assume GDPR compliance will apply unless your business is not based in the EU and does not sell or plan to sell to data subjects in the EU.
The interesting thing for United Kingdom-based companies is that—while not remaining part of the EU bloc after 2019 — these regulations also apply to them. Why? Because British companies will most likely continue to handle data of data subjects in the EU.
The GDPR outlines how personal data regarding data subjects in the European Union (EU) will be processed.
Some Definitions
A “Controller” under GDPR is the organisation or company that determines the purposes of the processing of personal data where a “processor” carries out the processing of the personal data on behalf of the “Controller”. A “processor” can further engage “sub-processors” and the “Controller” would have visibility and approval rights over these “sub-processors”.
The GDPR does not refer to data subjects or clients the language that is used most consistently throughout the GDPR is “natural person” or ‘’data subject’’ and. The term ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’). For the purpose of this article, data subjects or end clients or customers will be referred to as ‘’data subjects’’
The term ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Article 4 of GDPR contains a full list of definitions.
Main Points of GDPR
Companies of all sizes must have a legal basis to process personal data. The company must also have a privacy policy or privacy notice, which means all people with whom the company works, and trades, and does business with must be given a clear explanation of what data is being processed, how data obtained from them will be used and how that data will be stored. Companies must also outline how long they intend to keep the data they collect.
If, at any time, a company wishes to use collected data for some purpose not originally agreed upon, they must get new permission, or have a separate legal basis.
Companies and organisations must have the core data protection principles of GDPR entrenched in the organisation. As per Article 5 of GDPR these are, Lawfulness, Fairness and Transparency, Purpose Limitation, Data Minimisation, Accuracy, Storage Limitation, Integrity and Confidentiality and Accountability.
What Happens if Companies Do Not Comply with GDPR?
If you think that your company can simply ignore the introduction of the GDPR and continue as before, well, think again. Any company that is found not to be complying with regulations of GDPR can be penalized with heavy fines, or a company may have to suspend or stop processing personal data. In fact, many companies are not yet ready for GDPR because they figure this legislation will not influence their company.
The truth is: If your company is based in the EU or is processing the personal data of individuals or data subjects in the GDPR regulation, then your company is affected by this legislation.
The following considerations may provide an indication of the most important tasks that will be needed for companies with less than 250 employees to be GDPR compliant:
Audit your data
Auditing the data your company holds will not be a trivial task, but it will enable you to make many informed decisions on how to comply with the GDPR.
Key questions to answer include locating where your data is stored; why certain kinds of personal data are being processed; what is the legal basis for processing; how long it is retained; who has access currently to personal data and who should have access moving forward; are the appropriate technical and organisational controls in place and how much duplication of customer personal data exists across multiple sites.
All these areas need to be addressed before you can decide on the best course of action for your company. This first step in creating a holistic view of where all the different types of your customer data is residing is a critical one. If you don’t know what personal data, you hold you can’t make any plan around that data.
DPIA’s or Data Protection Impact Assessments may need to be carried out by companies before new processing starts to ensure data protection by default and by design is in place, a key GDPR concept and examine any risks to data subjects around any new data processing. Most European Data commissioners give guidance on their websites around DPIA’s and when they should be carried out.
Audit your service providers
The task of auditing your service provider’s compliance is where a lot of US companies may fall flat and may be where the most significant risk resides in your company. You will need to review your agreements with third-party service providers who process personal data on your behalf and sign data processing agreements. The data controller is obliged to sign contracts under GDPR, and the data processor can only act on the Controllers instructions.
If one of your data service providers is not able to prove that they are on the right side of GDPR compliance for US companies, then the work they do related to the personal data of your data subjects in the EU could be deemed non-compliant and put the controller at risk.
The right to be forgotten and other Data Subject Rights
The GDPR introduces two additional rights for people in the EU that are covered by the regulation; the right to be forgotten(erasure) and the right to portability of their data. The rights of data subjects are extensive under GDPR governed by Articles 12-22 of GDPR, Those rights also include, the right to access to receive a copy of their personal data, the right to rectification and restriction of processing and the right to object to processing including to automated processing and profiling.
These rights may lead to a significant increase in requests from data subjects in the European Union and companies and organisations must ensure they are set up and staffed correctly to deal with them.
Controllers and Processors
You will need to understand whether you fall into the category of a data processor or a data controller under the new GDPR guidelines. A data processor is a company that processes personal data on behalf of a controller. A data controller is a company that determines the purposes and means of how customer data is to be processed. Both Controllers and Processors have different implications concerning how they comply with the GDPR for US companies, and your company could be both a data controller and data processor at the same time.
To complicate matters even further, a data controller can have multiple data processors and the processor in turn multiple sub-processors. Under the new Regulation, the data controller is liable for the actions of the data processors that they work with in the market. It is essential that US companies carefully select their data processors where the data of data subjects in the EU is being processed and sign data processing agreements with them, A data processing agreement should govern the relationship between a controller and a processor and in turn the processors sub-processors. The agreement should include all aspects of data protection governance and article 28 and 82 of the GDPR detail what these agreements or contracts should cover.
GDPR Penalties and Fines
The new enforcement procedures and fines associated with GDPR compliance are perhaps the aspects which have most US corporate leaders sitting up and paying close attention.
The hefty penalties associated with non-compliance of GDPR could potentially reach into millions of dollars. Companies that do not comply will fall into one of two categories, and the higher of these could cost €20 million or 4% of the company’s annual turnover, whichever is higher. Apart from any financial penalties data protection regulators have the power to order a company to cease processing.
Reputational Damage
It is highly likely that the first companies to be penalized for non-compliance will receive significant attention. The reputational damage to companies that do not comply with the new law could be more costly than the GDPR fines themselves.
It is very possible that some of your competitors will be preparing to use GDPR compliance as a competitive advantage to position themselves ahead in the marketplace.
Are you prepared to suffer the reputational damage that non-compliance could bring to your company? In the months and years ahead, data privacy could become the new arena for marketers to compete and win new customers, and your company should be preparing for that battle.
Data Protection Officer
In some cases, companies will need to recruit a Data Protection Officer (DPO). The GDPR sets out guidelines when A DPO is mandatory in Article 37 of the GDPR and Article 38 explains the position of the DPO.
The GDPR is going to impact almost all operational teams within your company. Complying with the new regulation is going to require a lot of hard work, and it may be a best practice to centralize all the work under one person’s responsibility rather than having multiple data ‘chiefs’ within your company. If someone is accountable, then they take charge and put things into motion to achieve compliance.
For a company with no establishment in the EU but regularly processing the personal data of EU data subjects they may be required to appoint a representative based in the EU, to facilitate contact with EU regulatory authorities and EU data subjects.
Data Breach Notification
If a data breach does occur, your company must report the event to the appropriate data protection authority within 72 hours of becoming aware of the event.
Each EU member state has its own data protection authority that will be responsible for implementing the GDPR rules. Where the data breach poses a high privacy risk, a high risk to the rights and freedoms of data subjects (your customers), then those customers must also be notified by your company.
Prepare for Data Breaches
You will need to review and update the internal processes that you currently have in place at your company to detect, report, and investigate data breaches once they happen so you can comply with the timeframe and rules set down by the GDPR and supervisory authorities.
Record of Processing Legal Basis and consent
You will need to document the record of processing as set out in GDPR article 30 and understand and document the appropriate legal basis for processing of personal data. Understanding your legal basis should be part of the data audit. Where consent is the legal basis, for example for marketing lists, a company must be able to demonstrate how that consent was obtained. Consent should be granular, specific, freely given by an unambiguous affirmative action and as easy to withdraw as to give.
There is one exception in paragraph 5 of article 30 of the GDPR which may apply to companies with less than 250 employees where it states that a company or organisation employing less than 250 persons may be exempt from maintaining records under Article 30. This exemption would only apply where processing is not occasional, not likely to result in a risk to the rights and freedoms of data subjects or not involving special categories of data subject or criminal data.
Your employees
While a large part of the GDPR regulation focuses on how companies look after their consumers’ data, your company will also have to apply the GDPR standards to employee data.
Staff must be informed of the new rules typically via a staff privacy policy and adequately trained to handle customer data and related requests under the new guidelines. The HR department will also have to review staff contracts, data storage, and other aspects relating to employee data to ensure internal data procedures are also compliant with the GDPR.
Data Retention Policy
A data retention policy is a key GDPR component and the documentation and accountability requirement under GDPR means that the retention policy of organisations and companies needs to be documented. To comply with the GDPR, it makes sense for organisations and companies to audit the data they hold, document a data retention policy considering their statutory requirements and regularly review their processing and personal data held in line with their retention policy. The GDPR brings a requirement to demonstrate extra accountability so the organisation or company must be able to demonstrate compliance.
Once you have an understanding of GDPR, you should conduct an audit of what data you collect from EU subjects, how it is processed, and how it is stored (and where it is stored if it is transferred outside the EU). You also need to consider how consent is obtained to collect and process the data, and what measures need to be put in place so EU citizens can request access to their data to correct it, prevents elements of it being processed, or request its deletion.
The next step for small companies is to conduct a data security risk assessment. This should reveal any vulnerabilities and weaknesses in your physical, technical, and administrative processes that need to be patched to avoid a data breach. Once policies have been created to fill the gaps in your data security, every employee in your company needs to be made aware of the policies and the importance of operating within GDPR.
Finally, you also need to check every company with whom you share PII is also GDPR compliant. If you collect the data of an EU subject, and the data is disclosed without authorization by a partner company, you may still be liable for the data breach. Although the breach may be no fault of your own, EU authorities will consider that you failed to conduct appropriately stringent due diligence on the companies you are sharing data with.
What about Article 30 Exemptions?
Article 30 of GDPR is about a data inventory record and provides one potential exception for Organisations with less than 250 employees. This is a limited exemption which states that Organisations with less than 250 employees may be exempt from maintaining a data Inventory or record of processing activities. This Exemption is a minor exemption and only applies for Organisations with less than 250 employees in certain circumstances where there is no processing that is likely to result in a risk to the rights and freedoms of data subjects, the processing is only occasional, excludes special categories of personal data and personal data related to criminal convictions. The Full text of Article 30 is below. This limited exemption should in no means be interpreted by Organisations with less than 250 employees as an authorisation to ignore overall GDPR Compliance.
Article 30 states
“1Each controller and, where applicable, the controller’s representative, shall maintain a record of processing activities under its responsibility. 2That record shall contain all of the following information:
- the name and contact details of the controller and, where applicable, the joint controller, the controller’s representative and the data protection officer;
- the purposes of the processing;
- a description of the categories of data subjects and of the categories of personal data;
- the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations;
- where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards;
- where possible, the envisaged time limits for erasure of the different categories of data;
- where possible, a general description of the technical and organisational security measures referred to in Article 32(1).
Each processor and, where applicable, the processor’s representative shall maintain a record of all categories of processing activities carried out on behalf of a controller, containing:
- the name and contact details of the processor or processors and of each controller on behalf of which the processor is acting, and, where applicable, of the controller’s or the processor’s representative, and the data protection officer;
- the categories of processing carried out on behalf of each controller;
- where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards;
- where possible, a general description of the technical and organisational security measures referred to in Article 32(1).
The records referred to in paragraphs 1 and 2 shall be in writing, including in electronic form.
The controller or the processor and, where applicable, the controller’s or the processor’s representative, shall make the record available to the supervisory authority on request.
The obligations referred to in paragraphs 1 and 2 shall not apply to an enterprise or an organisation employing fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as referred to in Article 9(1) or personal data relating to criminal convictions and offences referred to in Article 10.”
GDPR Compliance is Important for Companies with less than 250 employees
GDPR compliance is as important for companies with less than 250 employees as it is for large multi-national corporations. Consequently, many companies have chosen to appoint a Data Protection Officer (DPO) to address to the GDPR requirements or appoint a consultancy company to get their GDPR preparations started before delegating the role to an existing employee. For further information about this option, please refer to our article “Do Small Companies Need to Appoint a DPO under GDPR?”
Enforcement actions have already started against non-compliant companies – even when a data breach has not occurred. In one of the first reported enforcement actions, a small hospital group in Portugal was fined €400,000 for not having adequate access controls, while a subsequent action was taken against a Canadian marketing company who targeted social media users and processed their Personal Data without having a legal basis to do so, or the users´ consent.
A lack of knowledge is not an adequate excuse for failing to be GDPR compliant. Every company from a sole trader to a multi-national corporation needs to look at how they process personal data whether they are a Controller or Processor, and make sure the processes and policies are in place around personal data. There also must be measures in place to facilitate data access requests and procedures in place to identify and report a data breach should one occur. Putting in place appropriate technical and organisational measures to keep data safe and secure is key also.
We have seen earlier there is an exemption under Article 30 for companies with less than 250 employees this should be seen as a very limited exemption as when performing any data audit it would be necessary to record the processing somewhere and the Article 30 requirements are arguably as good as any.
Related GDRP Articles
