Many EU SMEs think that the new General Data Protection Regulation, commonly known as the GDPR, doesn’t apply to them or that they can avoid complying with the GDPR. Some SMEs want to comply but don’t know where to begin. The GDPR went into effect on May 25, 2018 and has a broader scope than any privacy and data protection law that came before it. EU SMEs (including those in the U.K.) who fall into one of those categories should keep reading. And if you are based a few other locations (Canada, Australia, Hong Kong, the United States), you should keep reading as well!
What is GDPR?
The GDPR applies to SMEs if they:
- Are established in the Europe (established includes websites which operate in a language of a European country other than English, a representative (an employee, branch or subsidiary) located in Europe, and/or equipment (computers used by the employee or a local address for delivery of post) located in Europe)
- Offer goods or services (in the language (other than English) or currency of a European country or reference European customers in your publications) to citizens in Europe
- Monitor the behavior of individuals in Europe (monitor includes tracking European individuals on the Internet in order to create a profile or analyse preferences)
If the GDPR applies to an SME, it is unlikely to avoid complying with the GDPR (like it may have been avoiding complying with the previous law known as the EU Directive) because the GDPR gives individuals new rights. Now that the GDPR is in effect, individuals have the right:
- To be informed (e.g. told what data about them are collected and how their personal data are used)
- Of access to their personal data
- To rectification if their personal data are inaccurate or incomplete
- Of erasure of personal data when certain grounds apply
- To restrict processing of personal data when certain grounds apply
- To data portability when processing is based on consent or contract and is carried out by automated means
- To object to processing of personal data concerning them under certain circumstances
- Not to be subject to automated decision-making, including profiling, unless an exception applies
The GDPR also gives individuals additional remedies if their rights have been violated (the right to lodge a complaint with a supervisory authority, the right to compensation for even immaterial infringement of the GDPR, the ability to bring claims for non-pecuniary loss through group or “class” actions). Put another way: individuals have new and established rights that they can exercise, and you as a SME must implement protections delineated in the regulation to protect individuals. There are heavy penalties both monetarily and reputationally to your organization if you do not.
What if GDPR applies to you?
If the GDPR applies to you, then your customers and employees are going to start exercising these rights as they become more aware of these rights in the GDPR if they are not already. If you haven’t gotten ready for the GDPR, then you are risking losing business, hurting your ability to get further investments or loans, tarnishing your brand and reputation, and your customers and employees might start complaining.
For SMEs who want to comply but don’t know where to begin, there is a solution – look at GDPRsimple, a SaaS tool designed especially for SMEs. The GDPR “is arguably the most complex piece of regulation” the EU has ever produced. (The Economist 5/4/18). Like tax software, GDPRsimple helps SMEs implement a complex regulation and demonstrate their implementation (to customers, regulators, investors, staff, and others). GDPRsimple provides Document Generators (documents with instructions) and provides My Document Library (storage for the documents). Document Generators help SMEs implement the GDPR, and My Documents Library helps SMEs demonstrate their implementation.
GDPRsimple makes it easier to implement the GDPR, costs you less, organises your documents and reminds you to update:
- GDPRsimple makes it easier by working with SMEs to:
- Simplify the GDPR implementation process through Document Generators
- Simplify demonstration of GDPR implementation through My Document Library
- GDPRsimple costs less than employing your own expert or hiring an attorney or a consultant. GDPRsimple has extracted what to do from GDPR’s 204 pages and has interpreted guidance and materials from professionals so you have the essential information to implement the GDPR and demonstrate your compliance
- GDPRsimple provides My Documents Library, a secure document repository that stores and provides easy access to Documents you have generated and uploaded. My Documents Library makes it simple for you to demonstrate your implementation of the GDPR.
- Based on our founder’s deep understanding of the GDPR, GDPRsimple reminds you of activities you may need to take, such as updates to Documents generated. You can also create your own customised reminders.
What does it mean to implement the GDPR and demonstrate implementation of the GDPR? GDPRsimple has identified eight major areas of the GDPR which need implementation, known as pathways in GDPRsimple:
- Record of Processing
- Legal Basis to Process
- Individual Rights
- Data Breaches
- High-Risk Processing
- International Transfers
These pathways are implemented through different kinds of Document Generators, such as notices, assessments, policies, and logs. Resource materials are available to assist, if necessary. Once a Document has been completed, it is stored in My Documents Library for easy reference and for provision to investors, regulators, auditors as requested.
The exercise of completing the Document Generators assists an SME determine what it needs to do to implement the GDPR and the completion of a particular Document Generator demonstrates that the organisation has implemented that particular part of the GDPR. In going through this process, an organisation is fulfilling its responsibility under the GDPR to be, and demonstrating that it is, an accountable organisation. Accountability emphasises showing how organisational responsibility is exercised and making this exercise verifiable. An SME that utilizes GDPRsimple also engages in good governance. The GDPR gives individuals more control over their personal data. SMEs that implement the GDPR become more responsible organisations and are able to demonstrate their efforts to be more responsible.
GDPRsimple is different from other GDPR SaaS products in the marketplace. Currently, the market is heavy on resources: information provided by regulators and consultants/lawyers/technologists. These resources lack Document Generators to implement GDPR’s requirements and demonstrate this implementation. Also, current products in the market are either tech heavy (built by engineers without privacy and data protection backgrounds) or specialize on one element of the GDPR (consent or privacy notices). GDPRsimple is focused on implementation and demonstration of implementation and utilizes Document Generators.
How to bring your organization into compliance
You may be asking what simplifying the GDPR means for my organization? We at GDPRsimple believe it means the following:
- What steps to take: Our Generators walk you through the steps you need to take to implement the GDPR. Building upon decades of privacy and data protection experience, we distilled the regulation and the regulators’ guidance into a format that is actionable.
- Resources: We layered on resource and reference
materials. The GDPR is incredibly
complex to understand, so we provide you with:
- Definitions for words and phrases that may not be familiar to you.
- Reference guides that teach you and your employees about the GDPR
- External reference materials that are collected from the regulators themselves so that you know what the actual regulation states and how it has been interpreted
- Reminders and prompts: Resources and information you give us are used to prompt and pre-fill information. We set and allow you to set reminders for when you need to address an item in the future.
Implementation of this new privacy and data protection regulation is hard. We work with you to simplify an incredibly arduous task – similar to how you may feel about doing your taxes. Subscribe to GDPRsimple to make this task easier.