After a Summer break, I’m back continuing our bite sized break down of the GDPR. Why? I often hear “I don’t know where to start” as a reason why small or medium sized enterprises (SMEs) haven’t put the GDPR into practice yet. Like so many things in life, if it can be broken down into bite size pieces, then it’s not so overwhelming. Another platitude that might be helpful in this situation is “start at the beginning.”
If you are a business that processes personal data, you need to have a legal basis to process personal data. So, the first bite sized piece, or the first topic to start with, is whether you have a legal basis to process personal data. What is a legal basis to process will be discussed is my next blog. The GDPR can be broken down into seven other bite sized pieces or topics:
- As mentioned in my previous blogs, the GDPR expands individual rights and creates new individual rights. It is important for SMEs to understand what these rights are and how to respond if an individual exercises one of them.
- If you use a third-party to process personal data for you or you are the third-party that is processing personal data, the GDPR specifies what requirements need to be in the contract with the third-party.
- The GDPR requires a personal data breach likely to result in risk to the rights and freedoms of individuals to be reported to the appropriate supervisory authority within 72 hours and to the individual without undue delay.
- In order to determine what technical and organizational security measures to have in place, you need to assess the risks presented by the processing, especially from the perspective of a data breach.
- If you engage in processing that is likely to result in high risk to rights and freedoms of individuals (high risk processing), then you must prior to the processing assess the impact of the high risk processing.
- If you employ less than 250 persons, then you do
not need to maintain a record of processing unless the processing:
- Is high risk processing or
- Is not occasional or
- Includes special categories of data (e.g. racial or ethnic origin, political opinion, religious beliefs, health data)
- If you transfer personal data outside the EU to non-EU countries, then the transfer must be subject to appropriate safeguards (e.g. Standard Data Protection Clauses).
I’ve already explained individual rights. I am going to explain in more detail what the rest of these topics means in subsequent blogs.
This blog is the 16th in a series of blogs that explains, in bite size pieces, what needs to be done to put the GDPR into practice and how GDPRsimple, http://www.keepgdprsimple.com, an automated web and mobile tool, can help SMEs implement the GDPR and demonstrate their implementation.
Each of the “bite sized pieces” is one of the eight topics in GDPRsimple.