EDPB publishes GDPR for small businesses guidance

The European Data Protection Board (EDPB) has published some accessible guidance aimed at small to medium-sized businesses, outlining some of the fundamentals of good data protection practice.

The guidance has arguably arrived rather late—the GDPR passed in 2016, and some small businesses have found compliance challenging. However, the EDPB’s guidance is a solid introduction to understanding data protection and meeting GDPR compliance obligations.

Understand data protection basics

The first section of the EDPB’s guidance explains the fundamentals of data protection.

What is personal data?

The EDPB explains the GDPR’s definition of “personal data” (“any information relating to an identified or identifiable individual”) and provides some examples, including:

• Names
• Phone numbers
• ID numbers
• Booking references
• Email addresses
• Location data
• Browsing history
• Purchase history
• Photos
• Video and sound recordings

The guidance distinguishes “directly identifying” personal data (e.g. a name) and “indirectly identifying” personal data (e.g. an ID number).

The EDPB also explains the concepts of “special category data” (specific types of sensitive data) and criminal conviction data.

GDPR good practices checklist

The EDPB identifies some good baseline data protection practices, such as informing people that you are processing their personal data, only collecting personal data that is necessary for a specific purpose, and ensuring that you keep personal data secure.

What does processing personal data mean?

The EDPB explains the broad concept of “processing” personal data, which means doing anything to personal data, including “collecting, recording, organizing, using, modifying, storing (or) disclosing” it.

Does the GDPR apply to your organization?

The guidance explores the broad application of the GDPR, stating that a person or organization is covered by the law if it is:

• Established in the EU or European Economic Area (EEA), or
• Established outside the EU or EEA and either:
  • Offering goods and services to people in the EU or EEA, or
  • Monitoring the behavior of people in the EU or EEA.

While the EDPB does not mention this, the GDPR also applies in the UK – for now. The UK is in the process of reforming its domestic version of the GDPR.

The key principles of the GDPR

The EDPB guidance provides a brief exploration of each of the GDPR’s principles:

• Lawfulness, fairness, and transparency
• Purpose limitation
• Data minimization
• Accuracy
• Storage limitation
• Integrity and confidentiality
• Accountability

Respect individuals’ rights

The GDPR exists in part to protect the fundamental right to data protection. The EDPB guidance explores the implications of this rights-based approach for small businesses.

Which rights do individuals have under the GDPR?

The guidance provides an explanation of each of the GDPR’s “data subject rights”, namely:

• Right to be informed
• Right of access
• Right to rectification
• Right to erasure
• Right to restriction of the processing
• Right to data portability
• Rights relating to individual automated decision-making

The EDPB also provides a table that sets out which rights apply when processing personal data under each of the GDPR’s lawful bases.

Checklist of what to do concerning data subject rights

The guidance provides a checklist of basic principles around data subject rights that expands on each of the following concepts:

• Be prepared: Integrate data subject rights into your systems and workflows.
• Facilitate the exercise of rights.
• Know your data flows.
• Be transparent.
• Answer within one month.
• Pass it on: Where appropriate, inform third parties to whom you have transferred personal data that they must act on the individual’s request.
• Document: Keep track of data subject rights requests to remain accountable.

How to handle data subject rights request

The EDPB provides some tips for responding to data subject rights requests, including:

• Communicate in clear and plain language.
• Respond in writing.
• Respond within one month.
• Do not charge a fee.

Be compliant

The guidance provides some tips for small businesses to meet their GDPR compliance obligations.

Data protection by design and by default

The doctrine of “data protection by design and by default” requires controllers to build data protection into products and services from the earliest stages of development, considering:

• The nature and context of the processing.
• The risks that could result from the processing.
• The safeguards that could be implemented to ensure security and data minimization.

Obligation to keep records of data processing

The EDPB explains the basics of the GDPR’s “records of processing activities” (RoPA) obligations. Controllers and processors must document:

• The purposes of the processing.
• The categories of personal data processed.
• Any potential third-party recipients of the personal data.
• Details of any international data transfers.
• The storage period of personal data.
• The security measures in place.

Small businesses have some exceptions regarding the RoPA—organizations with fewer than 250 employees only have to document processing that is either “not occasional”, unless it involves special category data.

How to conduct a Data Protection Impact Assessment (DPIA)

The EDPB explains the circumstances under which an organization must conduct a data protection impact assessment (DPIA), and how to approach the exercise.

The guidance provides a “top DPIA tip”: check with your local data protection authority (DPA) for details of any processing that requires a mandatory DPIA.

Codes of Conduct and Certification

The guidance recommends that small businesses contact local certification bodies to check if there are any relevant GDPR codes of conduct or certification schemes to help ensure good practice in specific data processing contexts.

Secure personal data

In the final section of its GDPR for small businesses guidance, the EDPB outlines how to meet the GDPR’s security obligations.

Security: What is at stake?

The guidance explains the concept of a data breach, distinguishing between different types of breach (confidentiality, integrity, availability) and the possible adverse consequences to individuals.

The EDPB suggests some basic risk management measures, such as implementing a “risk management spreadsheet” identifying risks to servers, computers, and premises.

Organisational measures

The guidance outlines different types of organizational security measures, including training and awareness, internal policies, and confidentiality agreements.

Technical measures

The EDPB explains the various technical security measures a small business can take to protect personal data, broadly:

• Securing “equipment” such as hardware, software, networks, and premises.
• Securing workstations, for example via automatic lockouts, firewalls, and regular patching.

The guidance also covers various security techniques mentioned in the GDPR, such as pseudonymization, encryption, and anonymization.

Specific situations

The EDPB identifies data protection risks that might arise in two specific contexts: “teleworking” (remote work) and BYOD (bring-your-own-device), suggesting security practices such as using a virtual private network (VPN) or implementing multi-factor authentication (MFA).