Mastering GDPR Compliance: The Essential Business Owner's Handbook

As a business owner, you understand the importance of keeping your company in compliance with laws and regulations. One of the most significant of these is the General Data Protection Regulation (GDPR). GDPR compliance is not only a legal requirement, but it's also essential for building trust with your customers and protecting your business's reputation.

Whether you're a small business owner or the head of a large organization, our Essential Business Owner's Handbook will help you master GDPR compliance. By following our advice, you'll not only protect your business from legal repercussions but also build trust with your customers and improve your reputation in the marketplace.

GDPR: Definition

GDPR is short for "General Data Protection Regulation." It's a regulation that governs access to and use of personal data. It's been adopted by all member states of the European Union and is considered the strictest in the world.

Immediately, let's note that this act applies not just to EU-based companies and individuals, but also to foreign companies doing business in the EU. are processed

You have to comply with GDPR whether you're from the U.S., China, or Europe.

The basis for GDPR was the European Convention on Human Rights. It guarantees everyone the right to respect their privacy and family life. However, technological advancements, such as the development of the Internet - showed that those provisions had become insufficient, so a new document was made.

The GDPR came into effect in May 2018. While it covers a lot of ground, the provisions were written in a way that was easy to understand for the average person. Still, we think a few things need clarification - especially from the perspective of business owners.

GDPR: A Glossary for Business Owners

First, let's discuss some of GDPR's uses. Keep in mind that this is just a small part of GDPR.

• Personal data is information about a person that can be used to identify them. For example, you can identify someone if you know their name, surname, and home address. The same applies to data relating to a description of appearance, psyche, economic or cultural situation.
• Processing is any action or set of actions done on personal data. Even if these operations are automated, they still count as processing personal data. Processing means gathering, recording, organizing, structuring, storing, changing, retrieving, using, sharing, putting together, removing, erasing or getting rid of. Example: collecting personal data to send newsletters.
• Data subject: the person whose data is processed.
• Profiling is any type of processing of personal data that uses personal data to look at certain aspects of a person. In general, this means looking at or predicting that person's performance at work. This includes economic situation, health, their preferences, interests, reliability, behavior, location, or movements. For example, you could use personal data to personalize displayed ads.
• A personal data breach is a breach of security that leads to personal data destruction, loss, alteration, disclosure, or access. Example: hacking attack on company servers and stealing personal data.

Who Is Data Controller, Data Processor, and Joint Controller?

The data controller determines how and why personal data is processed. In addition, they're responsible for protecting personal data and processing it internally. Data controllers are usually companies - sole proprietorships or partnerships.

Data Processors process data on behalf of Data Controllers. Data Processors are usually external companies, but sometimes you'll encounter groups of companies where one company processes data for another. A data processor can only process data that's been directly entrusted to him by the controller.

To understand the difference between the two entities, let's look at an example:

Let's say a company sells its goods in the European Union but doesn't have its own warehouse and uses an external one. Who is who in this case?

The vendor, i.e. the entity offering its products - is in this case the controller of the personal data, as it collects personal information, such as name, address, phone number or email address, before passing it on to a third party, the warehouse owner.

In contrast, the warehouse will be the data processor - it will process data obtained from the seller to provide the service specified in the contract.

A contract or other legal act must define the relationship between companies regarding personal data. Such an agreement should specify what happens to the data after the termination of cooperation, how data leaks are reported, and how the data is protected.

When two or more companies decide how to process the same person's data, they're called joint controllers.

As an example, we have two companies, one that sells renovation materials and the other that finishes interiors. They agree to sell a service that goes with the product, which is to renovate the house using the materials the customer bought.

They create a website with an integrated store, so people's information goes into a database shared by both companies. As a result, both entities become joint controllers of the data set.

Objectives, Material, and Territorial Scope

GDPR protects people's rights and freedoms and regulates how their personal data is used. Additionally, the regulation makes it clear that the flow of data cannot be restricted. As a result, the document is meant to define guidelines and protect consumers, but it's never meant to stop businesses from doing what they do.

The regulation covers any way of processing personal data, whether it's automatic, semi-automatic, or any other method. In addition, the regulations apply to relationships between companies and consumers. As long as the data is purely personal or domestic, it's not subject to GDPR.

To help you understand it better:

Suppose your company is in China, but you sell services or send newsletters in the EU. Do you have to comply with GDPR?

Yes! As long as you process data of citizens from one of the member states, you're covered by the regulation, regardless of where you're based. Retribution is irrelevant - GDPR requires that data of people in the EU be processed accordingly.

Sole Proprietorship and Partnerships: What Kind of Data Are Protected?

Does the GDPR cover the data of a sole proprietor? How about the data of owners of companies listed in national registers?

Basically, it depends on what data is actually disclosed by the member state. For sole proprietorship, if the country's regulations explicitly link the company's name with the individual's name, the individual is also a company. This means the data is protected under the same rules as individuals, so consent is needed.

So, you can tell telemarketers calling your company that you do not consent to personal data processing.

The situation for companies entered into national registries is quite different - in most cases they are separate legal entities, so they are not protected in any way.

However, what about their owners? Company owners are also individuals, so they are fully subject to data protection.

This is a general view of the issue. To clarify all forms of activity, you'd have to trace all possible regulations from each member country.

Are credit card numbers personal data?

Yes… and, no. Using the example of a credit card, let's see what can actually be protected. Does an ordinary person who doesn't work at the bank where your card was issued be able to identify you from it (assuming your name isn't on it)?

Probably not, so we do not treat it as protected personal information.

How about a bank employee with access to the internal info system? Because it can be used to identify the cardholder, the card number will be protected.

If you analyze different cases this way, you can determine whether a data leak is serious, or whether it won't have a big impact on the person whose data was leaked.

Companies must quickly identify if sensitive customer data has been exposed. It is also critical to take the necessary steps to protect it. For example, if your database was hacked, but the only thing leaked were your customers' first names – it's not a major data breach.

But if it was the full names, aka data that can be used to identify your customers, we're talking about a serious data protection violation.

That's why it's critical you ensure that such data leaks do not occur in the first place by implementing strong security protocols and regularly auditing your systems.

The Purpose Of Collecting Data And GDPR Guidelines For Data Controllers

"Why do we really collect personal data?" is an important question for a company. Every time, the data controller must decide what the data will be used for and make sure its scope is only for that. For example, a newsletter only needs an email address and maybe a first name, so the controller shouldn't ask for anything else from the user. GDPR calls this "data minimization."

When getting personal data, you need to know exactly what you're going to do with it. In other words, if an individual gives his data to receive marketing info only, it can't be used for anything else. This is called "purpose limitation" in the GDPR.

The third rule is to store and process data no longer than absolutely necessary. If someone makes their image available for a single marketing campaign, it can't be stored and processed longer than that campaign lasts.

Definition And Conditions Of Consent

According to the GDPR, consent must be freely given, specific, informed, unambiguous, and revocable. What does this actually mean, and how should consent be expressed?

Let's break it down into individual elements:

1. Freely given: consent can't be coerced or manipulated. You can't condition a service on getting consent to process data for marketing purposes, for example. Exceptions to this are when certain data is required to finish a service or order and wouldn't be complete without it.
2. Specific: the individual needs to know how his personal data will be used. For example, if we want to get consent for sending newsletters, using an image, and profiling, then each of these needs to be done separately, along with what personal data is needed for each.
3. Informed: consent forms must be clear and transparent to the person giving consent. A person must be informed about their rights, as well as terms that are not used every day by the average person, such as jargon and slang.
4. Unambiguous: consent must be expressed in a way that makes it clear the subject actually wants it. Silence (i.e., not expressing consent verbatim) cannot be interpreted as consent.
5. Revocable: the individual who entrusts data to a controller should have the right to withdraw consent without any conditions.

A great example of the implementation of all the principles:

![](https://images.prismic.io/userzoom/322cef3c-572c-4161-8c46-55961b531654_guardian-GDPR-opt-in.png?auto=compress,format&w=1800

Child’s Consent

With technology developing so fast and kids having access to the Internet from an early age, it's not insignificant that consent is regulated by the GDPR.

Generally, anyone 16 or older can dispose of their personal data independently. Unless you're a parent or legal guardian, you can't process personal data under this age. However, each member country can regulate this age as long as it doesn't go below 13.

It's the data controller's responsibility to make "reasonable efforts" to verify consent given by a parent or legal

Guardian, considering the technology available.

This means that while the controller must verify the facts, a statement on the website that declares that the person is of a certain age or has parental consent usually suffices - but it can't be pre-checked.

When Consent Is Implied And Why Checkboxes In Contract Doesn’t Matter

What if consenting to data processing is required for the service? Would you need an additional consent or another checkbox?

When that happens, we talk about implied consent, i.e. consent where giving certain data to the controller is necessary for the order to be fulfilled.

Let's say someone ordered a washing machine from us, and provided his address. For the goods to be delivered, the buyer needs to provide his name and address - it's logical.

Obviously, the data controller can only use the data for this particular transaction. In contrast, when it's not obvious that the data is inextricably tied to a service or order, the individual needs to be informed and consent to data processing.

How about signing contracts? Do we need more data processing provisions?

It's not necessary if the data processing is strictly related to the contract, like issuing an invoice. On the other hand, if we want to process the data for another purpose, like making a database of customers who get a new catalog every few months, then it'll be necessary.

Rights of Data Subjects in GDPR

The GDPR defines a catalog of rights of data subjects. These are, in turn:

1. The right to be informed: giving people precise and easily understandable details regarding how you handle their personal information.

2. The right of access: grants individuals various rights to access their personal data, which include: confirmation of whether your personal data is being processed, a copy of your personal data in case it is being processed, additional information concerning the processing of your personal data.

3. The right to rectification: any entity has the right to correct or supplement its personal data, without undue delay of the controller of such data.

4. The right to erasure (“right to be forgotten”): If certain conditions are met, you are entitled to request the data controller to erase your personal information without undue delay. These conditions are:

   • Your personal data is no longer needed for the purpose for which it was initially collected or processed.
   • You withdraw your consent for the processing of your data, and there are no other legal grounds for such processing.
   • You object to the processing of your data, and there are no overriding legitimate reasons to continue the processing, such as legal claims.
   • You object to the processing of your data for direct marketing purposes.
   • Your personal data was processed unlawfully.
   • Erasure is necessary to comply with a legal obligation.
   • Your personal data was collected in connection with the offer of information society services, such as social media, to a child.

5. The right to restrict processing: you possess the authority to restrict the processing of your personal information. This lets you confine how organizations employ your data. This is an alternative to requesting the erasure of their data.

6. The right to data portability: allows you to acquire and repurpose your personal data across various services. This right allows you to transfer or copy your personal information effortlessly from one IT environment to another, in a secure and reliable manner, without compromising its usability.

7. The right to object: gives you the power to prevent the processing of your personal data.

8. Rights in relation to automated decision-making and profiling: the data subject possesses the right to avoid being the subject of decisions that solely rely on automated processing, including profiling, and that could result in legal consequences or significantly impact them.

Data Protection Officer – Do I Need One?

DPOs can be appointed at any time for any business, but they are necessary in several cases, regardless of whether you're a controller or processor.

The GDPR requires the appointment of a DPO when sensitive data is processed on a large scale or when people are monitored on a large scale. Behavioral advertising, tracking, and profiling are all examples of monitoring.

The DPO can be a staff member or an external contractor, who provides services under a service contract.

Data Protection Impact Assessment

If a new project poses a high risk to individuals' personal information, a Data Protection Impact Assessment (DPIA) is required. You should implement a DPIA, especially when you:

• Use new technology
• Track people's behavior or location
• Monitor public places systematically on a large scale
• Process sensitive categories like race, religion, health, or sexual orientation

The DPIA is also required when processing children's data or when data leaks can cause physical harm.

DPIAs are good practice even when the high-risk standard isn't met to minimize liability and make sure the best data security and privacy practices are being followed.

The DPIA should include a systematic description of the processing operations, the purpose, and the controller's legitimate interests. It must also assess:

• The necessity and proportionality of processing operations in relation to the purposes
• The risks to data subjects' rights and freedoms
• Measures to reduce the risks, including safeguards, security measures, and GDPR compliance mechanisms.

These measures consider the subject's rights and legitimate interests.

Penalties for GDPR Violations

GDPR fines are meant to make non-compliance a costly error for businesses of all sizes. GDPR fines aren't fixed and increase based on company size. Therefore, any organization that doesn't comply with GDPR faces a big fine.

GDPR distinguishes between different levels of violations. Minor infringements can result in fines of up to €10 million or 2% of the company's worldwide revenue from the previous financial year, whichever is higher. Violations involve:

• Data controllers and processors: these rules cover data protection, lawful bases for processing, and other things that organizations collecting and controlling data (controllers) and companies processing data (processors) have to do.
• Certification bodies: they certify organizations and evaluate and assess them in a transparent, unbiased way.
• Monitoring bodies: they have to have the right expertise and handle complaints or reported infringements fairly and transparently.

There are less serious and more serious infringements in GDPR, with the latter violating the fundamental principles of privacy and the right to be forgotten. The fine can be up to €20 million for these types of violations, or 4% of the organization's global annual revenue, whichever is higher.

These include violations of articles that govern basic processing principles, consent conditions, data subjects' rights, and data transfers to international organizations. You'll also get fined for violating GDPR laws or not complying with supervisory authorities' orders. Data subjects can also get compensation from organizations that damage them due to GDPR violations under GDPR

In each EU country, the data protection regulator is responsible for administering fines under GDPR. Their decision is based on the following 10 criteria:

1. Gravity and nature: This refers to the overall picture of the infringement, including what happened, how it happened, why it happened, the number of people affected, the damages caused, and the timeframe for resolution.
2. Intention: Whether the infringement was intentional or the result of negligence.
3. Mitigation: Whether the organization took any actions to mitigate the damage suffered by those affected by the infringement.
4. Precautionary measures: The amount of technical and organizational preparation the organization had previously implemented to comply with the GDPR.
5. History: Any relevant previous infringements, including those under the Data Protection Directive, as well as compliance with past administrative corrective actions under the GDPR.
6. Cooperation: Whether the organization cooperated with the supervisory authority to discover and remedy the infringement.
7. Data category: What type of personal data the infringement affects.
8. Notification: Whether the organization, or a designated third party, proactively reported the infringement to the supervisory authority.
9. Certification: Whether the organization followed approved codes of conduct or was previously certified.
10. Aggravating/mitigating factors: Any other issues arising from the circumstances of the case, including financial benefits gained or losses avoided as a result of the infringement.

If an organization commits multiple GDPR violations, regulators will only penalize it for the worst one. This is provided all infringements are part of the same processing operation.

GDPR for Business: Best Practices

Now that you know all the most important aspects of GDPR, it’s time to use your knowledge in practice. Here’s a quick checklist of the best data protection practices to follow:

Invest in Awareness and Training

Understanding the importance of data privacy and being aware of GDPR requirements is essential for employees.

To ensure this, conduct regular training sessions to keep them updated on the latest developments and best practices.

Also, make sure you adjust the training to your team’s requirements. For example, your customer success team might need different training from your development team.

By investing in awareness and training, you create a culture of data protection within your organization.

Implement Data Mapping

Identify and map all personal data that your business processes, including its:

• Sources
• Storage locations
• Sharing partners

This helps maintain a clear understanding of your data processing activities and identify areas for improvement.

To implement data mapping, create an inventory of all personal data and document its flow throughout your organization. This can be done in a simple spreadsheet or using a dedicated software:

Privacy by Design: Integrating Data Protection from the Start

Implementing privacy principles into the design of your products and services means considering data protection from the very beginning of any project and integrating it throughout its lifecycle.

Here’s how Krishan Patel, a CTO with 10+ years of experience working in various industries, approaches data protection in his projects:

I've always operated from a least-priviledged access practice, i.e. even my first engineers don't have access to all data, they get given permissions as they need them and revoked when not needed.

Nobody has in the company has the root credentials except the C-suite. Everything should be made private by default, including databases and servers, code, designs, internal documents, everything. Some say this is hindering but when it's done correctly, nobody should even notice.

As you can see, embedding privacy by design is about proactively addressing potential risks. If you don’t need to share the data with someone, don’t do it.

Data Minimization

Collect and process only the personal data that is essential for your business activities. Limit the amount of data you collect, store, and process to minimize the risk of breaches and potential fines.

The best way to implement data minimization is to establish clear guidelines for data collection and implement strict access controls.

For example, SimpleBackups is built in a way that no backup data is ever stored or passed through our servers. This drastically reduces the risk of data breach and makes sure we never have access to unnecessary data.

Data Protection Officer (DPO)

Appoint a DPO if your business conducts large-scale processing of personal data or sensitive data. The DPO should be responsible for overseeing data protection strategy and ensuring GDPR compliance.

Here’s what Filip Johnssén, Klarna’s DPO says about his role in the company:

A few key ideas drive everything I do as a DPO: One idea is to always keep in mind that data protection and privacy are based on fundamental values. Another idea is understanding that laws represent the voice of the people. For me, this means looking at data protection not as a box-ticking exercise but as what is the right thing to do based on the values and ideas behind a legal requirement.

By having a dedicated DPO, your organization can better manage data privacy risks and maintain regulatory adherence.

Data Breach Response Plan

A Disaster Recovery Plan (DRP) describes how to recover and restore critical data, systems, and infrastructure after a disruption, such as:

• natural disasters
• cyber-attacks
• hardware failure
• human error

This includes notifying the relevant supervisory authority within 72 hours and, in certain cases, notifying affected individuals without undue delay.

By having a response plan in place, you can minimize the impact of a data breach and ensure timely communication with all stakeholders.

Regular Audits and Reviews: Maintaining Ongoing GDPR Compliance

To ensure ongoing compliance with GDPR, it is crucial to conduct regular audits and reviews of your data protection processes.

These audits should encompass all aspects of data handling, including data storage, access controls, and processing activities.

Regular audits and reviews help your organization identify any gaps in your data protection processes and address potential vulnerabilities. By proactively detecting and rectifying these issues, you can mitigate risks, avoid costly fines, and maintain your reputation as a trustworthy business that values data privacy.

Final Thoughts

Staying informed about the latest data privacy regulations and keeping up with changes in the industry is the best way to ensure that your business is compliant.

But without the right tools, staying on top of your data privacy requirements will be almost impossible. With SimpleBackups, you’ll be able to implement and execute a solid data backup strategy effortlessly. Sign up for a free trial today, and start protecting your company’s data.