On 25 May 2018, the new privacy law known as the General Data Protection Regulation (GDPR) will be applicable to all companies – large and small – in Europe. It includes some tightening of the existing laws (stricter consent, a risk-based approach, additional processor obligations) and several novelties (the right to data portability, data breach notification requirements and rules on child privacy).
Some of the new requirements are currently not entirely clear. While the Article 29 Working Party, a group of data protection authorities, has recently provide some preliminary guidance, many elements remain as yet undecided.
The biggest mistake that a company could make in this situation would be to defer the start of an internal GDPR project because of a lack of guidance on the law. So how can you get started with only limited resources? Here are five easy things SMEs can do right now:
The GDPR requires companies to nominate a data protection officer ("DPO") under certain circumstances, e.g. when a significant quantity of sensitive data (such as health, genetic or biometric data) is being processed. Even if you are not obligated to nominate a DPO at present, it might still make sense to nominate a member of your staff internally as soon as possible, as doing so will help to focus implementation and drive accountability. Building your competences up internally over time will likely be a better strategy than hiring a new individual for the role of DPO, as you will need an employee who is hands-on and who knows your business well from the inside.
Start documenting your data processing practices in a basic way. While the GDPR has very strict documentation requirements, it would be advisable to start as soon as possible with a less ambitious approach, and then improve your methods over time. For smaller companies, the necessary documentation could even be produced via a spreadsheet template, which would define categories of data, the purpose of the data and who has responsibility for the data.
It would be wise to start thinking about potential risk areas. The GDPR implements the so-called risk-based approach, which means that the greater the risks posed to the privacy rights of individuals, the more safeguards and transparency will be needed. Examples of the types of privacy risks that a company could prepare for might be the damage that would result from the exposure of location data relating to children, or the loss of sensitive health records.
The GDPR requires that you, as a company, give certain information to individuals about the processing of their personal data. Examples of this type of information include the identity of the company processing their data, and the contact details of the relevant DPO, where applicable. In addition, customers will need to be informed of the legal basis (whether based on consent, a contract, legitimate interest, etc.) for such processing. This will ultimately require the revision of privacy statements in light of the GDPR, which will include any contracts that you might have with sub-contractors who process personal data on your behalf (such as cloud service providers).
Aside from starting early, the best advice would be for you to decide what you can do internally, and where you will need external help. Depending on the existing knowledge base of your company, a possible option might be to hire external lawyers to draft data processing templates, or to look at international data transfers. Other items, such as the documentation required by the GDPR, can quite easily be created in-house.
While the five steps above will not of themselves enable you to achieve 100% compliance, they will, nonetheless, provide an excellent basis on which to start preparing for the GDPR.