Almost all EU-based organisations are affected by the GDPR (General Data Protection Regulation), from sole traders to multinationals.
But even though the GDPR unifies data protection rules across Europe, not all businesses will face the same problems. We’ve covered many of the issues you’re likely to face, but this blog focuses on the way sole traders should approach their compliance requirements.
1. Appoint a data protection officer
DPOs (data protection officers) have many responsibilities, including:
- Advising staff on their data protection responsibilities;
- Monitoring the organisation’s data protection policies and procedures;
- Serving as the point of contact between the organisation and its supervisory authority; and
- Serving as a point of contact for individuals on privacy matters.
Most sole traders aren’t expressly required to appoint a DPO; the position is only mandatory for public authorities, those that carry out large-scale systematic monitoring of individuals and those that carry out large-scale processing of special categories of personal data or personal data related to criminal offenses.
However, most experts, including the EDPB (European Data Protection Board) – formerly the Article 29 Working Party – suggest that a DPO can be helpful even when your organisation isn’t obliged to appoint one.
That makes sense. It’s obviously beneficial to have a data protection expert on call who can answer your compliance questions and let you know when you’ve made a mistake.
If you’re worried about the cost of appointing a DPO, there are alternatives. The Regulation also allows a group of organisations to appoint a collective DPO or to outsource the position to a third party.
IT Governance’s DPO as a Service is a quick and convenient way of getting the advice of a DPO. One of our data protection experts will fulfil DPO’s responsibilities, working with you to understand your organisation’s requirements.
They’ll also complete the necessary tasks and provide you with guidance whenever you need it.
2. Prepare for data breaches
Your organisation will suffer a data breach sooner or later. There are simply too many cyber threats and vulnerabilities to keep track of.
Small businesses might mistakenly believe that they’re below hackers’ radars or don’t have anything worth taking, but that’s not how cyber criminals operate.
They usually seek out weaknesses wherever they can find them, knowing that the exploit will lead them to something valuable.
And it’s not only outsiders breaking into your systems that you need to worry about. Your employees are just as likely to lose or accidentally breach sensitive information.
That doesn’t mean you should simply accept the inevitability of a data breach, though. There are steps you can take to prepare for, and mitigate the damage of, a data breach, including familiarising yourself with your data breach response requirements.
The GDPR states that any personal data breach that results in a risk to the rights and freedoms of individuals needs to be reported to the relevant supervisory authority within 72 hours of its discovery.
This will be tough for sole traders to comply with, as it takes time to prepare the requisite information. The breach notification needs to provide:
- The nature of the breach, including – where possible – the categories and approximate number of individuals and personal data records concerned.
- The name and contact details of the DPO or relevant person.
- A description of the likely consequences of the breach.
- A description of the measures taken or proposed to be taken to respond to the breach.
It will be much easier to meet the 72-hour notification deadline if you have a plan to carry out these requirements.
You can learn more about how to create a plan by reading our guide to GDPR data breach notification procedures.
3. Make sure your consent mechanisms are appropriate
The GDPR has toughened the rules surrounding consent considerably, with the most prominent change being the requirement for organisations to gain “clear affirmative action” from individuals.
These adjustments nullify some of the most common tactics organisations used to get individuals’ approval, such as pre-ticked boxes or bundling consent together with other options.
However, contrary to what some people think, organisations do not always need consent to process personal data. Rather, consent is one of six lawful bases that organisations can use to collect individuals’ information.
Consent had been the most common, because it was the easiest to obtain. However, the strictness of its application under the GDPR means that organisations should only use it if no other lawful basis is appropriate.
There will be times when consent is your best option, though, and in those cases you must be sure that you’re seeking it lawfully.
GDPR compliance is easier than you might think
Much of the discussion surrounding the GDPR is about how large and complex its rules are. While the intention of commentators has been to urge people to commit to understand its requirement, this hasn’t always been successful.
Daunted by how much there is to understand, many people have conceded that it’s a losing battle and neglected their compliance requirements.
This obviously isn’t the right attitude, particularly when you realise that the GDPR isn’t as impenetrable as some have made it out to be.
Most of its requirements are based on practices that organisations already follow, and others are logical solutions to problems you’ve probably encountered.
With that in mind, we’re confident that we can explain any compliance question you have via our GDPR Ask Us feature.
Once you submit your question and summary of your organisation’s situation, one of our consultants will respond with an explanation of what you should do in simple, understandable terms.