GDPR demands that each organisation implements appropriate privacy arrangements and that it can inform all involved parties of those arrangements by publishing a privacy statement or policy. Your duty to proactively inform and provide transparency on the personal data you use and your privacy position is one of the key requirements of GDPR. Only when those interacting with your firm are duly informed, they can make an informed decision as to whether or not they are willing to enter into business with you.
Just copying and pasting a privacy statement from the internet is likely to cause more harm than good. GDPR requires your communications to be specific to the way your firm operates. Boilerplate or catch all statements, vague or overly complex legal jargon is explicitly stated as non-compliant in the GDPR regulation.
1. Clear statement of responsibilities
SME organisations are generally not required to have a formal Data Privacy Officer (DPO) unless it is involved in the processing of personal data at a large scale. It is however advised for all SME organisations to have someone on point for privacy e.g. a GDPR Coordinator. By establishing a GDPR Coordinator you can give your privacy effort focus and make sure there is a knowledgeable person that can act as the single point of contact for any queries or challenges.
For each of the activities in which you process personal data e.g. booking customer appointments, invoicing & accounting, sending out of a newsletter etc. you should outline who is the data controller and who is the data processor. The data controller is the party that sets the purpose and means of the processing. The data processor is the party that processes the data in line with the instructions set by the data controller. For those processing activities you handle in-house you are likely to be both the data controller and data processor. In other processes you could hold either role. For more information and examples on the data controller vs data processor roles see our knowledge base item on the topic.
2. List the processes that use personal data
For each of those processes GDPR requires you to provide transparency on the process’ business purpose, its GDPR legal basis, the personal data items used and how long you will retain the data. For more information on business purpose and DPR legal basis, see the dedicated knowledge base item on it Legal basis, what are those?
3. List the processes that share personal data
Your firm does not operate in a silo, it has suppliers and partners it collaborates with and by doing so, it shares data. You share data with your accountant, your HR benefit processor, your IT support partner, just to name a few. But equally as you use cloud software e.g. a CRM tool, or online reservation tool the personal data you record on those platforms is shared with the software vendor. All these interactions are perfectly normal and GDPR does not prohibit those, it just insists you inform parties, so they can take an informed decision as to whether or not they are willing to enter into business with your firm.
So make sure to list the processes that share personal data and whom you share data with e.g. data you share with your accountant, IT support partner etc. or through the use of cloud platforms e.g. Facebook, Mail-chimp, Stripe etc. If you share data outside the EU, you should outline how you ensure that adequate measures are in place to safeguard the security and privacy of the data. This can be a complex topic and it might not be too obvious if your data leaves the EU or not. For more information see our knowledge base in What to do if I’m not sure if the data resides in the EU?
5.GDPR Data Rights
GDPR puts all of us in control of our personal data, which is one of the great benefits of the regulation. Whenever an organisation processes our personal data, GDPR gives us a set of rights we can call upon. Each of us can exercise those rights at any time.
From the perspective of the organisation using the personal data of individuals, you need to ensure you inform individuals about their rights and at the same time implement the appropriate processes to make sure they can swiftly exercise their rights.
So make sure to list the GDPR data rights your users have and how they can exercise those. Also state how users can contact you and if needed raise a complaint with the relevant authority. Do note that the regulator recommends you establish a dedicated communication channel for all privacy related matters. So avoid reusing email@example.com and set up a dedicated firstname.lastname@example.org mailbox.
We have also created a number of training video’s which you might find useful. For example this video on the Essence of GDPR. The video is available in several languages.