Almost all organisations are affected by the EU General Data Protection Regulation (GDPR), from sole traders to multinationals. But even though the GDPR intends to unify data protection rules across the EU, everyone will face different problems. We’ve covered many of the issues you’re likely to come across, but this blog focuses on how the GDPR affects sole traders.
Appoint a data protection officer
A data protection officer (DPO) has many responsibilities, such as monitoring compliance with data protection laws, including the GDPR, and acting as the point of contact for supervisory authorities and data subjects.
Most sole traders won’t be explicitly obliged to appoint a DPO – the requirement only applies to public authorities, those that carry out large-scale systematic monitoring of individuals and those that carry out large-scale processing of special categories of data or data related to criminal offenses. However, the Regulation implies that most organisations that handle personal data should designate someone to oversee GDPR compliance, even if they aren’t technically a DPO. The Regulation also allows a group of companies to appoint a collective DPO.
Prepare for data breaches
All organisations are vulnerable to data breaches, whether they’re caused by negligence, malicious action or a combination of the two. Small organisations might mistakenly believe that they’re below hackers’ radars or don’t have anything worth taking, but cyber criminals often target exploitable weaknesses rather than specific companies.
It’s impossible to prevent data breaches altogether, so organisations need to know what to do when the inevitable happens. The GDPR states that any breach that results in a risk to the rights and freedoms of individuals needs to be reported to the relevant supervisory authority within 72 hours of its discovery.
This will be tough for sole traders to comply with, as it takes time to prepare the requisite information. The breach notification needs to provide:
- The nature of the breach, including – where possible – the categories and approximate number of individuals and personal data records concerned;
- The name and contact details of the DPO or relevant person;
- A description of the likely consequences of the breach; and
- A description of the measures taken or proposed to be taken to respond to the breach.
It will be much easier to meet the 72-hour notification deadline if you have a plan to carry out these requirements.
Get appropriate consent
The GDPR adjusts the requirements for consent, with perhaps the biggest change being that consent needs to be obtained via “clear affirmative action”, which nullifies opt-out options such as pre-ticked boxes.
The consent request must cover the specific processing details, the type of information requested, the purposes of the processing and any special aspects that may affect the individual, such as disclosures.
There are many nuances to getting consent under the GDPR, and it often won’t be the most appropriate legal ground for obtaining personal data. As such, we recommend reading our dedicated blogs on the topic.
How to achieve compliance
The good news is that many of the GDPR’s principles are similar to current data protection laws, which means that if you’re currently compliant, most of your processes will remain valid. However, there are some important changes that you need to prepare for.
You can find out how to do that by enrolling on our Certified GDPR Foundation Training Course.
This course provides a comprehensive introduction to the GDPR and helps you understand the implications and legal requirements for all organisations affected by the Regulation.