Things to consider in your small business’s GDPR readiness plan
As you are outlining your plan of attack to conform with the General Data Protection Regulation (GDPR), you'll need to start with determining whether you are a data controller, a data processor, or both. The definitions provided for the GDPR in Article 4 will help you decide:
(7)“Controller ” means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
(8)“Processor” means a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller:
In plain English, what this means is that if Acme Lightbulbs is the seller/distributor of light bulbs, but they contract with Emailforyou.com to handle outbound emails to their customers and to track the customers’ activity, then in this scenario, Acme Lightbulbs is the data controller while Emailforyou.com is the data processor.
Regarding your compliance with the GDPR, you should know which role you play. The data controller is generally responsible for collecting consent, responding to requests to revoke consent, and providing individuals with access to their data, etc.
So, if an individual changes his mind and wants to have Acme Lightbulbs stop using his data, he would contact them, the data controller—even if the data is being housed with the data processor, Emailforyou.com.
Once revocation is requested, the data controller would then contact the data processor to complete the request and have the data deleted.
It is vital to note that even if you make every necessary correction, and your company is perfectly compliant with GDPR, you could still face the very same penalties if you do not properly vet your data processor, and you contract with a company that neglects GDPR compliance. Your small business could be held liable for the mistakes of your data processor.
Previous regulations did not hold third parties accountable, and data processors were rarely held liable for noncompliance with data protection rules.
The GDPR holds the data processors liable as well, for the first time, and it is essential that small businesses are communicating with any third parties that are handling data for them to ensure that they are also GDPR compliant.
In the GDPR, Article 28(1) states the following:
“Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.”
If you are a data controller, click here to go to the UK’s Information Commissioner’s very helpful “Data Controller Checklist” to determine your readiness.
If you are a data processor, click here to go to the UK’s Information Commissioner’s very helpful “Data Processor checklist” to determine your readiness.
If you believe you may function in both roles, then we advise you to go through both checklists to confirm your GDPR compliance readiness.
Whether you are a small business just navigating the GDPR, or have been in preparation for a while now, it is a good idea to make regular checks on your policies and processes to confirm that your company is adhering to the GDPR and that any other companies you partner with in data collection, storage, and usage are also compliant.