The General Data Protection Regulation (GDPR) places the responsibility for proving compliance squarely with those who process data:
You must comply with the Principles, and demonstrating you have done so is your responsibility
It's an expectation and requirement of the regulation that you will have suitable systems and processes in place to ensure that you are lawfully processing data and can demonstrate that you are conforming to the requirements of the GDPR (Article 24)
Those articles do include some provision for the consideration of cost versus the risk to the individual posed by a breach of data, but considering the widespread availability of solutions to many of the security issues it seems unlikely that their cost would be considered a suitable reason for their absence.
What this means for SMEs
- You need to have internal processes for the correct handling of data in accordance with the GDPR and you need to make sure that staff are trained to understand and follow those processes and that you audit that they are doing so.
- You should build data security into your organisation at every layer. This will be especially relevant for computer networks, software and websites, but also applies to the physical security of paper records.
- It is not a strict requirement, but you would be very well advised to consider technical solutions that limit what data would be included in the case of a breach. Anonymization, pseudonymisation and encryption are all useful tools here.
- You should review processes and ensure you are only gathering the personal data you need and that you are only keeping it for as long as it is needed ('Data Minimisation')
- Computer network security should be a high priority, ensure everything is patched and up to date. Use current versions of software and do not use pirated software.
- Article 32 includes a requirement to have the "ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident". That certainly means you need a robust (and tested) back up procedure for electronically stored data (whether that be on your own premises or on a provider's server in the cloud), but also could be interpreted as meaning you should have copies of records held on paper so that should a physical incident such as flood or fire occur you are able to restore the lost data.
- If your website allows a user access to their personal data (such as on a My Profile type page) then website security should be of the highest priority. Ensure that your website server is running on a fully patched operating system and that the web server software and any website software and frameworks are fully patched and up to date too.
- Ensure that the programmatic code of your website is written in a manner that provides security and is written and tested by software developers who understand how to implement security correctly.
- You should employ companies that are separate to your existing IT and software providers to test and audit the security of your network and website on a regular basis.
- For everything computer related consider support agreements with your suppliers that require them to keep things up to date and audit that this work is done.
Keeping records of data processing
Article 30 lays out the requirements for record keeping. This is the article that has led to all of the confusion about whether GDPR applies to businesses of less than 250 employees (which it definitely does).
The requirement to keep records of data processing for organisations with less than 250 employees are potentially removed by Article 30(5) which states:
The obligations referred to in paragraphs 1 and 2 shall not apply to an enterprise or an organisation employing fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as referred to in Article 9(1) or personal data relating to criminal convictions and offences referred to in Article 10.
What that means is that small and medium sized businesses will not be required to keep records of data processing unless:
- The personal data contains high risk (to the individual) information
- You are processing the data frequently
- You are processing sensitive personal data
- You are processing data about criminal convictions
Most of that is unambiguous and point 3 alone is a very good reason to go through your databases and records and expunge them of all special personal data (such as race/ethnicity) unless you have a real need for it.
What is highly ambiguous though, is point 2. The wording in Article 30 is " processing is not occasional", but both the GDPR and the recitals are silent on what constitutes 'not occasional'. If one takes the view that a weekly invoicing run is 'not occasional', then the small business now has a requirement to keep records of data processing, even if it only has one employee.
There are a lot more questions here too:
- Is the frequency of data processing based on looking at all the data processing your organisation does as a whole, or is the frequency of each separate data processing activity considered individually? So, if you did invoice processing at the end of the month, order chasing mid-month and marketing every third week, would you now be processing data frequently because you are doing three processing activities per month? Or, are you doing three separate processing activities monthly and therefore each one could be considered occasional?
- If you are considered to be a 'not occasional' data processor, are you required to keep records of all of your data processing activities, or just the ones that occur 'not occasionally'?
We spoke to the ICO about this and they confirmed that there is no guidance to exactly what constitutes 'not occasional' at this point. Hopefully a working party or Recital will add further clarity to this in due course. In the meantime, it's difficult to know exactly how a small business should proceed. The best advice is probably to consider how data processing could be recorded now, but don't implement those processes until there is further clarification in this area.
Codes of conduct and Certification
Articles 40-43 discuss how Codes of Conduct and Certification schemes can be used by businesses to assist in meeting the requirements of the GDPR and demonstrating that they are doing so. At the moment no such schemes exist, but they will no doubt appear over time.
There are other schemes that could be useful to assist in meeting parts of the GDPR's requirements. The ISO 27000 series ( ISO 27000 series ) could assist in meeting the requirements around electronic information security for example.