The GDPR entered into force on May 25, 2018. It applies to all companies and organizations. The whole issue is complex. A clear path of how the implementation of the GDPR in small businesses should look like is not given.
Do not panic. GDPR in small businesses can be simple.
What does the GDPR require in small businesses?
In simplified terms, the main requirements of the GDPR are:
- All data that can be directly or indirectly traced back to a person is personal data.
- This data may only be processed in a lawful manner and in a manner that is comprehensible to the data subject.
- This data may only be processed for specified, unambiguous purposes.
- Only the data that is absolutely necessary may be processed. – Data that is no longer required must be deleted or anonymized.
- Data subjects have a legal right to know what is stored about them and can demand corrections.
- The data must be processed and protected in accordance with the state of the art .
- A procedure directory must be created in which all of the company’s data processing activities are listed.
- A simple risk assessment must be made for all procedures.
- Only authorized persons may access the data.
- Data loss must be reported to the authority or the person concerned.
- Compliance with the GDPR must be demonstrated.
see GDPR Article 5
Why can’t I just ignore the whole thing?
Doing nothing will be expensive. Failure to comply with the GDPR risks high penalties. The GDPR gives data subjects a right to compensation and the possibility to complain to the data protection authority. The authority is obliged to investigate every complaint. The data protection authority may also take action without cause. (see GDPR Article 83).
The GDPR does NOT provide details on how to implement the above. It is required that appropriate solutions are used at the state of the art. It also requires that measures be regularly reviewed for appropriateness.
What needs to be done to implement the GDPR in small businesses?
- The first step is to determine what data processing is performed in the company.
- The processing operations must be documented (what kind of data is processed, to whom is the data transferred, …).
- For the processing operations, it must be specified how long the data is to be stored (see Storage Limitation and Retention Obligation).
- The risk to those affected must be assessed.
- Technical and organizational data protection must be documented.
- If there are any significant weaknesses, remediation must be planned.
- If there is any ambiguity or high risk to affected individuals, an expert must be consulted.
- A procedure directory must be created with this information.
- Processors must be found and contracts, in accordance with the GDPR, must be concluded with them.
- Employees must be trained to respond to affected person inquiries correctly. Protective measures in the company must be known to the employees.
- A date must be defined for the review of these measures.
No information needs to be provided to the data protection authority during preparation. Preparation ensures that you have the documents and information you need when stakeholders or the agency make inquiries.
How can I prepare as a small business without spending a fortune?
To make these steps easier for you, we have developed easyGDPR. easyGDPR is an online tool that supports you step by step in implementing the GDPR and helps you to correctly document the situation in your company.
With simple questions, even complex topics, such as risk assessment, become possible for you. Together with your IT manager/supervisor, you can easily answer questions about technical and organizational data protection.
We offer thereby for different industries such as driving schools, electricians, house administrations, horticulture, … special versions of our software. Frequently occurring processing operations are already predefined. This makes it even easier for them to create their procedure directory.
Our online tool in combination with our online training allows you to perform many steps of the preparation for the GDPR yourself. Our goal is to enable you to work on an equal footing with experts where you want to use them.
How much effort do I have to calculate for this work?
In our experience, the GDPR preparation for small businesses, without critical processing, can usually be done in 3-4 hours.
In addition, there is the cost of any necessary data security measures (better firewall, data backup, …).
If potential privacy issues arise (e.g. you store unprotected credit card data, you work with health data,…), be sure to clarify the situation with an expert.
Where can I get help from experts?
Evening workshop “DSGVO simple and efficient”.
In our DSGVO evening workshop you will learn briefly and compactly the 1×1 of the data protection basic regulation. The workshop is based on the “Informationsoffensive Workshop Datenschutz Neu” of the WKO NÖ. The speaker, Andreas Schindler, is a certified data protection expert and in the DSGVO consultant pool of the WKO NÖ. You can register directly via our online store or at the e-mail address: firstname.lastname@example.org.
The workshops take place in our training center in 2100 Stetten, Hautstraße 49.