GDPR For Small Businesses - Part 3: How to be Compliant with the GDPR

The (GDPR) General Data Protection Regulation has and still continues to give many organizations a headache because of the fact that there are so many sides to keep track of, from data protection basics, to what data subject rights individuals have and how to respond to requests under these, to steps required for compliance, and finally to matters of security of the personal information a business processes. 

In the previous two posts, we discussed the basics of data protection and the data subject rights of individuals, based on the EDPB’s Data Protection Guide for Small Businesses issued in order to help SMEs navigate this data privacy law and understand their obligations. In this post we move on to steps required of organizations in order to be compliant with the GDPR. 

The EDPB’s Guide affirms that “an organization not only has to process personal data according to the General Data Protection Regulation, but it also needs to be able to demonstrate its compliance. This includes implementing data protection by design, keeping a record of processing activities, and in certain circumstances, conducting a data protection impact assessment​​.”

Data protection by design and by default

Organizations should embed data protection within their website and consider the privacy of individuals in every aspect, and at every stage of its processing operations, in the tools used, or any other business activity.

In order to apply data protection by design and by default you need to take into account the following: 

• the nature, context, and scope of the processing operation;
• the risks that may arise from the processing operations or any other business activities that may have an impact on individuals’ personal data;
• the technical and organizational measures that should be put in place to mitigate the risks identified, and, in doing so, ensure that individuals’ personal data is adequately protected;
• the technical and organizational measures or procedures to be put in place to ensure that processing of personal data is limited to what is necessary in light of the objectives pursued.

Practical Example: A healthcare organization that has several doctors employed would collect the personal data of its patients in its organizational information system. In the event that one doctor would need to cover for another doctor and see a patient, and provide the proper care and treatment, they would need to make an informed decision based on documentation containing previous diagnoses, care, and courses of treatment applied. Data protection by default here means that access to the documentation is granted only to those doctors involved in the care of the respective patient. 

Keeping records of data processing

Organizations are required to keep a record of data processing activities, in writing, including in electronic form in order to be able to provide an overview. Creating these records means that you should identify which of your activities require processing of personal data. Next, each one of these activities has to be described in the record in such a way so as to include the following:

• the purpose of the processing (e.g. customer loyalty);
• the categories of data processed (e.g. for payroll: name, first name, date of birth, salary, etc.);
• who has access to the data (the recipients – e.g.: the department in charge of recruitment, the IT service, management, service providers, partners...);
• where applicable, information related to transfers of personal data outside the European Economic Area (EEA);
• where possible, the storage period (the period for which the data are useful from an operational point of view, and from an archiving perspective);
• where possible, a general description of the security measures.

These records have to be made available to the DPA of the EEA country where you operate, upon request.

Conducting a DPIA (Data Protection Impact Assessment)

Where a processing activity is likely to result in a high risk to the rights and freedoms of individuals, your organization has an obligation to carry out a Data Protection Impact Assessment which is a written assessment of a planned processing operation. This helps you to identify the appropriate safeguards to mitigate the risks and to demonstrate compliance. However, keep in mind that while it is considered best practice to anticipate the impact of planned processing operations of your organization by conducting a DPIA, it is only compulsory to carry out such a DPIA when the processing is likely to result in a high risk for individuals’ rights and freedoms.

Specifically, this is the case where the processing entails one of the following:

• the processing - on a large scale - of sensitive personal data and data related to criminal convictions;
• a systematic and extensive evaluation of an individual’s personal aspects based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the individual in question or similarly significantly affect individuals;
• systematic monitoring of a publicly accessible area on a large scale.

To simplify even further, processing operations that meet either two of the following criteria should be assessed through a DPIA:

1. evaluation or scoring;
2. automated decision making with legal or similar significant effect;
3. systematic monitoring;
4. sensitive data or data of a highly personal nature;
5. data processed on a large scale:
6. matching or combining datasets;
7. data concerning vulnerable data subjects;
8. innovative use or applying new technological or organizational solutions;
9. When the processing in itself prevents individuals from exercising a right or using a service or a contract.

Your DPIA should include:

• a description of the planned processing operation and its purpose;
• a necessity and proportionality assessment; 
• the risks that the processing operation may entail;
• the measures to address the risks.

Whenever you cannot find sufficient measures to reduce the risks to an acceptable level you are required to consult with the data protection authority in your country, in which case you are also required to provide the following information:

• the respective responsibilities of the controller, joint controllers and processors involved in the processing;
• the purpose of the processing operation and how the processing operation will be conducted;
• the measures envisaged to safeguard individuals’ personal data;
• the contact details of the data protection officer of your organization, if applicable;
• the DPIA in question.

Last but not least, once your DPIA is drafted, you must test it; improve it if necessary; conduct your processing operation; re-assess whether your DPIA matches the processing operation; and control check.

Practical Example:

• a DPIA may be required when: 
• processing biometric data, for example scanning fingerprints or facial features to identify patients;
• using data of vulnerable individuals for marketing purposes, for example to predict their purchases;
• a mobile app tracks an individual’s location.
• a DPIA may not be required when:
• the processing operation is very similar to a processing which was the subject of a DPIA;
• the processing is included in the optional list of processing operations not subject to a DPIA - established by your country’s DPA;
• the processing operation is authorized under EU or national law.

To find a more comprehensive overview of the GDPR simply access our website’s Resources section where you will find this data privacy law listed among the other privacy regulations Clym supports currently. For your convenience, here is a direct link to the EU GDPR Overview.