The GDPR entered into force on 25 May 2018. It applies to all companies and organisations. The whole issue is complex. There is no clear path as to how the GDPR is to be implemented in small companies.
Don’t panic. GDPR in small businesses canbe simple.
What does the DSGVO require in small companies?
To put it simply, the most important requirements of the GDPR are as follows:
- All data that can be traced back directly or indirectly to a person are personal data.
- This data may only be processed in a lawful manner and in a way that is comprehensible to the data subject.
- These data may only be processed for specified, explicit purposes.
- Only the data that is absolutely necessary may be processed. – Data that is no longer needed must be deleted or made anonymous.
- Affected persons have a legal right to know what is stored about them and can demand corrections.
- The data must be processed and protected in accordance with the state of the art.
- A procedure directory must be created in which all data processing operations of the company are listed.
- A simple risk assessment must be made for all procedures.
- Only authorized persons are allowed to access the data.
- Losses of data must be reported to the authority or person concerned.
- Compliance with the DSGVO must be demonstrated.
Take a look at GDPR article 5.
Why can’t I just ignore the whole thing?
Doing nothing will cost you dearly. Failure to comply with the DSGVO will result in high penalties. The DSGVO gives those affected the right to compensation and the opportunity to complain to the data protection authority. The authority is obliged to investigate every complaint. The data protection authority may also act without cause (see GDPR article 83).
The GDPR does NOT give details on how the above points are to be implemented. It requires that appropriate state of the art solutions be used. It is also required that the measures be regularly reviewed for appropriateness.
What needs to be done to implement the DSGVO in small companies?
- The first step is to determine which data processing operations are carried out in the company.
- The processing operations must be documented (what type of data is processed, to whom is the data transferred, …).
- For the processing, it must be determined how long the data are to remain stored (see storage limitation and storage obligation).
- The risk for those affected must be assessed.
- Technical and organisational data protection must be documented.
- If there are significant weaknesses, a remediation must be planned.
- If there are ambiguities or a high risk for affected persons, an expert must be consulted.
- A procedure directory must be created with this information.
- Contract processors must be found and contracts concluded with them in accordance with the GDPR.
- Employees must be trained to correctly respond to inquiries from those affected. Protective measures in the company must be known to the employees.
- A date must be set for the review of these measures.
No information needs to be disclosed to the data protection authority during the preparation. Preparation ensures that you have the documents and information you need when data subjects or the authority make inquiries.
How can I prepare myself as a small business without spending a fortune?
To make these steps easier for you, we have developed easyGDPR. easyGDPR is an online tool that supports you step by step in implementing the GDPR and helps you to correctly document the situation in your company.
With simple questions, even complex topics, such as risk assessment, become possible for you. Together with your IT manager/consultant, you can easily answer questions on technical and organizational data protection.
We offer for different branches like driving schools, electricians, property management, horticulture, … special versions of our software. Frequently occurring processes are already pre-defined. So they can provide still more simply their procedure listing.
Our online tool in combination with our online training enables you to perform many steps of the preparation for the GDPR yourself. It is our goal that where you would like to have access to experts, you can work at eye level with the experts.
How much effort do I have to calculate for this work?
In our experience, DSGVO preparation for small businesses, without critical processing, can usually be completed in 3-4 hours.
In addition, there is the expense for any necessary measures for data security (better firewall, data backup, …).
If there are possible privacy problems (e.g. you store unprotected credit card data, you work with health data,…), the situation should definitely be clarified with an expert.
Where can I get help from experts?
Workshop “GDPR simple and efficient”.
In our DSGVO evening workshop you learn briefly and compactly the 1×1 of the data protection basic regulation. The workshop is based on the “Information Offensive Workshop Data Protection New” of the WKO NÖ. The lecturer, Andreas Schindler, is a certified data protection expert and a member of the DSGVO consultant pool of the WKO NÖ. You can register directly via our online shop or under the e-mail address: firstname.lastname@example.org The workshops will take place at our training centre in 2100 Stetten, Hautstraße 49.