As a business owner, you understand the importance of keeping your company in compliance with laws and regulations. One of the most significant of these is the General Data Protection Regulation (GDPR). GDPR compliance is not only a legal requirement, but it's also essential for building trust with your customers and protecting your business's reputation.
Whether you're a small business owner or the head of a large organization, our Essential Business Owner's Handbook will help you master GDPR compliance. By following our advice, you'll not only protect your business from legal repercussions but also build trust with your customers and improve your reputation in the marketplace.
GDPR is short for "General Data Protection Regulation." It's a regulation that governs access to and use of personal data. It's been adopted by all member states of the European Union and is considered the strictest in the world.
Immediately, let's note that this act applies not just to EU-based companies and individuals, but also to foreign companies doing business in the EU. are processed
You have to comply with GDPR whether you're from the U.S., China, or Europe.
The basis for GDPR was the European Convention on Human Rights. It guarantees everyone the right to respect their privacy and family life. However, technological advancements, such as the development of the Internet - showed that those provisions had become insufficient, so a new document was made.
The GDPR came into effect in May 2018. While it covers a lot of ground, the provisions were written in a way that was easy to understand for the average person. Still, we think a few things need clarification - especially from the perspective of business owners.
First, let's discuss some of GDPR's uses. Keep in mind that this is just a small part of GDPR.
The data controller determines how and why personal data is processed. In addition, they're responsible for protecting personal data and processing it internally. Data controllers are usually companies - sole proprietorships or partnerships.
Data Processors process data on behalf of Data Controllers. Data Processors are usually external companies, but sometimes you'll encounter groups of companies where one company processes data for another. A data processor can only process data that's been directly entrusted to him by the controller.
To understand the difference between the two entities, let's look at an example:
Let's say a company sells its goods in the European Union but doesn't have its own warehouse and uses an external one. Who is who in this case?
The vendor, i.e. the entity offering its products - is in this case the controller of the personal data, as it collects personal information, such as name, address, phone number or email address, before passing it on to a third party, the warehouse owner.
In contrast, the warehouse will be the data processor - it will process data obtained from the seller to provide the service specified in the contract.
A contract or other legal act must define the relationship between companies regarding personal data. Such an agreement should specify what happens to the data after the termination of cooperation, how data leaks are reported, and how the data is protected.
When two or more companies decide how to process the same person's data, they're called joint controllers.
As an example, we have two companies, one that sells renovation materials and the other that finishes interiors. They agree to sell a service that goes with the product, which is to renovate the house using the materials the customer bought.
They create a website with an integrated store, so people's information goes into a database shared by both companies. As a result, both entities become joint controllers of the data set.
GDPR protects people's rights and freedoms and regulates how their personal data is used. Additionally, the regulation makes it clear that the flow of data cannot be restricted. As a result, the document is meant to define guidelines and protect consumers, but it's never meant to stop businesses from doing what they do.
The regulation covers any way of processing personal data, whether it's automatic, semi-automatic, or any other method. In addition, the regulations apply to relationships between companies and consumers. As long as the data is purely personal or domestic, it's not subject to GDPR.
To help you understand it better:
Suppose your company is in China, but you sell services or send newsletters in the EU. Do you have to comply with GDPR?
Yes! As long as you process data of citizens from one of the member states, you're covered by the regulation, regardless of where you're based. Retribution is irrelevant - GDPR requires that data of people in the EU be processed accordingly.
Does the GDPR cover the data of a sole proprietor? How about the data of owners of companies listed in national registers?
Basically, it depends on what data is actually disclosed by the member state. For sole proprietorship, if the country's regulations explicitly link the company's name with the individual's name, the individual is also a company. This means the data is protected under the same rules as individuals, so consent is needed.
So, you can tell telemarketers calling your company that you do not consent to personal data processing.
The situation for companies entered into national registries is quite different - in most cases they are separate legal entities, so they are not protected in any way.
However, what about their owners? Company owners are also individuals, so they are fully subject to data protection.
This is a general view of the issue. To clarify all forms of activity, you'd have to trace all possible regulations from each member country.
Yes… and, no. Using the example of a credit card, let's see what can actually be protected. Does an ordinary person who doesn't work at the bank where your card was issued be able to identify you from it (assuming your name isn't on it)?
Probably not, so we do not treat it as protected personal information.
How about a bank employee with access to the internal info system? Because it can be used to identify the cardholder, the card number will be protected.
If you analyze different cases this way, you can determine whether a data leak is serious, or whether it won't have a big impact on the person whose data was leaked.
Companies must quickly identify if sensitive customer data has been exposed. It is also critical to take the necessary steps to protect it. For example, if your database was hacked, but the only thing leaked were your customers' first names – it's not a major data breach.
But if it was the full names, aka data that can be used to identify your customers, we're talking about a serious data protection violation.
That's why it's critical you ensure that such data leaks do not occur in the first place by implementing strong security protocols and regularly auditing your systems.
"Why do we really collect personal data?" is an important question for a company. Every time, the data controller must decide what the data will be used for and make sure its scope is only for that. For example, a newsletter only needs an email address and maybe a first name, so the controller shouldn't ask for anything else from the user. GDPR calls this "data minimization."
When getting personal data, you need to know exactly what you're going to do with it. In other words, if an individual gives his data to receive marketing info only, it can't be used for anything else. This is called "purpose limitation" in the GDPR.
The third rule is to store and process data no longer than absolutely necessary. If someone makes their image available for a single marketing campaign, it can't be stored and processed longer than that campaign lasts.
According to the GDPR, consent must be freely given, specific, informed, unambiguous, and revocable. What does this actually mean, and how should consent be expressed?
Let's break it down into individual elements:
A great example of the implementation of all the principles:
With technology developing so fast and kids having access to the Internet from an early age, it's not insignificant that consent is regulated by the GDPR.
Generally, anyone 16 or older can dispose of their personal data independently. Unless you're a parent or legal guardian, you can't process personal data under this age. However, each member country can regulate this age as long as it doesn't go below 13.
It's the data controller's responsibility to make "reasonable efforts" to verify consent given by a parent or legal
Guardian, considering the technology available.
This means that while the controller must verify the facts, a statement on the website that declares that the person is of a certain age or has parental consent usually suffices - but it can't be pre-checked.
What if consenting to data processing is required for the service? Would you need an additional consent or another checkbox?
When that happens, we talk about implied consent, i.e. consent where giving certain data to the controller is necessary for the order to be fulfilled.
Let's say someone ordered a washing machine from us, and provided his address. For the goods to be delivered, the buyer needs to provide his name and address - it's logical.
Obviously, the data controller can only use the data for this particular transaction. In contrast, when it's not obvious that the data is inextricably tied to a service or order, the individual needs to be informed and consent to data processing.
How about signing contracts? Do we need more data processing provisions?
It's not necessary if the data processing is strictly related to the contract, like issuing an invoice. On the other hand, if we want to process the data for another purpose, like making a database of customers who get a new catalog every few months, then it'll be necessary.
The GDPR defines a catalog of rights of data subjects. These are, in turn:
The right to be informed: giving people precise and easily understandable details regarding how you handle their personal information.
The right of access: grants individuals various rights to access their personal data, which include: confirmation of whether your personal data is being processed, a copy of your personal data in case it is being processed, additional information concerning the processing of your personal data.
The right to rectification: any entity has the right to correct or supplement its personal data, without undue delay of the controller of such data.
The right to erasure (“right to be forgotten”): If certain conditions are met, you are entitled to request the data controller to erase your personal information without undue delay. These conditions are:
The right to restrict processing: you possess the authority to restrict the processing of your personal information. This lets you confine how organizations employ your data. This is an alternative to requesting the erasure of their data.
The right to data portability: allows you to acquire and repurpose your personal data across various services. This right allows you to transfer or copy your personal information effortlessly from one IT environment to another, in a secure and reliable manner, without compromising its usability.
The right to object: gives you the power to prevent the processing of your personal data.
Rights in relation to automated decision-making and profiling: the data subject possesses the right to avoid being the subject of decisions that solely rely on automated processing, including profiling, and that could result in legal consequences or significantly impact them.
DPOs can be appointed at any time for any business, but they are necessary in several cases, regardless of whether you're a controller or processor.
The GDPR requires the appointment of a DPO when sensitive data is processed on a large scale or when people are monitored on a large scale. Behavioral advertising, tracking, and profiling are all examples of monitoring.
The DPO can be a staff member or an external contractor, who provides services under a service contract.
If a new project poses a high risk to individuals' personal information, a Data Protection Impact Assessment (DPIA) is required. You should implement a DPIA, especially when you:
The DPIA is also required when processing children's data or when data leaks can cause physical harm.
DPIAs are good practice even when the high-risk standard isn't met to minimize liability and make sure the best data security and privacy practices are being followed.
The DPIA should include a systematic description of the processing operations, the purpose, and the controller's legitimate interests. It must also assess:
These measures consider the subject's rights and legitimate interests.
GDPR fines are meant to make non-compliance a costly error for businesses of all sizes. GDPR fines aren't fixed and increase based on company size. Therefore, any organization that doesn't comply with GDPR faces a big fine.
GDPR distinguishes between different levels of violations. Minor infringements can result in fines of up to €10 million or 2% of the company's worldwide revenue from the previous financial year, whichever is higher. Violations involve:
There are less serious and more serious infringements in GDPR, with the latter violating the fundamental principles of privacy and the right to be forgotten. The fine can be up to €20 million for these types of violations, or 4% of the organization's global annual revenue, whichever is higher.
These include violations of articles that govern basic processing principles, consent conditions, data subjects' rights, and data transfers to international organizations. You'll also get fined for violating GDPR laws or not complying with supervisory authorities' orders. Data subjects can also get compensation from organizations that damage them due to GDPR violations under GDPR
In each EU country, the data protection regulator is responsible for administering fines under GDPR. Their decision is based on the following 10 criteria:
If an organization commits multiple GDPR violations, regulators will only penalize it for the worst one. This is provided all infringements are part of the same processing operation.
Now that you know all the most important aspects of GDPR, it’s time to use your knowledge in practice. Here’s a quick checklist of the best data protection practices to follow:
Understanding the importance of data privacy and being aware of GDPR requirements is essential for employees.
To ensure this, conduct regular training sessions to keep them updated on the latest developments and best practices.
Also, make sure you adjust the training to your team’s requirements. For example, your customer success team might need different training from your development team.
By investing in awareness and training, you create a culture of data protection within your organization.
Identify and map all personal data that your business processes, including its:
This helps maintain a clear understanding of your data processing activities and identify areas for improvement.
To implement data mapping, create an inventory of all personal data and document its flow throughout your organization. This can be done in a simple spreadsheet or using a dedicated software:
Implementing privacy principles into the design of your products and services means considering data protection from the very beginning of any project and integrating it throughout its lifecycle.
Here’s how Krishan Patel, a CTO with 10+ years of experience working in various industries, approaches data protection in his projects:
I've always operated from a least-priviledged access practice, i.e. even my first engineers don't have access to all data, they get given permissions as they need them and revoked when not needed.
Nobody has in the company has the root credentials except the C-suite. Everything should be made private by default, including databases and servers, code, designs, internal documents, everything. Some say this is hindering but when it's done correctly, nobody should even notice.
As you can see, embedding privacy by design is about proactively addressing potential risks. If you don’t need to share the data with someone, don’t do it.
Collect and process only the personal data that is essential for your business activities. Limit the amount of data you collect, store, and process to minimize the risk of breaches and potential fines.
The best way to implement data minimization is to establish clear guidelines for data collection and implement strict access controls.
For example, SimpleBackups is built in a way that no backup data is ever stored or passed through our servers. This drastically reduces the risk of data breach and makes sure we never have access to unnecessary data.
Appoint a DPO if your business conducts large-scale processing of personal data or sensitive data. The DPO should be responsible for overseeing data protection strategy and ensuring GDPR compliance.
Here’s what Filip Johnssén, Klarna’s DPO says about his role in the company:
A few key ideas drive everything I do as a DPO: One idea is to always keep in mind that data protection and privacy are based on fundamental values. Another idea is understanding that laws represent the voice of the people. For me, this means looking at data protection not as a box-ticking exercise but as what is the right thing to do based on the values and ideas behind a legal requirement.
By having a dedicated DPO, your organization can better manage data privacy risks and maintain regulatory adherence.
A Disaster Recovery Plan (DRP) describes how to recover and restore critical data, systems, and infrastructure after a disruption, such as:
This includes notifying the relevant supervisory authority within 72 hours and, in certain cases, notifying affected individuals without undue delay.
By having a response plan in place, you can minimize the impact of a data breach and ensure timely communication with all stakeholders.
To ensure ongoing compliance with GDPR, it is crucial to conduct regular audits and reviews of your data protection processes.
These audits should encompass all aspects of data handling, including data storage, access controls, and processing activities.
Regular audits and reviews help your organization identify any gaps in your data protection processes and address potential vulnerabilities. By proactively detecting and rectifying these issues, you can mitigate risks, avoid costly fines, and maintain your reputation as a trustworthy business that values data privacy.
Staying informed about the latest data privacy regulations and keeping up with changes in the industry is the best way to ensure that your business is compliant.
But without the right tools, staying on top of your data privacy requirements will be almost impossible. With SimpleBackups, you’ll be able to implement and execute a solid data backup strategy effortlessly. Sign up for a free trial today, and start protecting your company’s data.
Free 7-day trial. No credit card required.
Not convinced yet? Need help?
Get in touch via chat or at [email protected]