Are you an SME or micro-business that needs to process your customers' personal data, or do you use an external provider to analyse your data? If so, you are covered by the GDPR (General Data Protection Regulation). Even if you only receive your customer's name and phone number, you are still subject to the GDPR. What's left for you to do is to find out how to make your business compliant below.
Taking stock and properly managing the risks
To get an overview of the risks, you can keep a list of identified activities in a logbook where you can write down the purpose, the categories of data, who has access to it and for how long. To do so, ask yourself the following questions:
- How is the data collected?
- How is it stored and for how long?
- How is it protected?
- What data is not relevant to the business and can be deleted?
If you consider that the processing of personal data poses a significant risk to the rights and freedoms of the persons involved, you should carry out a DPA (Data Protection Impact Assessment).
Checking the mandatory information on the data collection medium
Individuals must be informed and must consent to the collection of their data. Each must be notified in advance of how their data will be used and given the opportunity to approve or refuse the processing of their information. This consent must be recorded and verified. Controllers must always be able to demonstrate that they have obtained consent.
Consent cannot be given if it is implicit, unverified or inactive by default. Instead, it must be given by clear and positive action. In addition, those who have consented to the collection of their data must be able to withdraw that permission without encountering any difficulties.
Protecting your data and changing your methods
To strengthen your computer systems and prevent security breaches, you need to keep your antivirus software up to date and change your passwords regularly by making them more complex using numbers, capital letters and symbols. You should also set up backup and recovery procedures and make sure you report any attempted breach of personal data to the corresponding authority.
Make personal data visible when protecting them so that customers can feel reassured and confident. This way, the credibility of the company will be strengthened. It is also important to take into account the practices for handling the data collected, the processes that produce the information and the entities that manage these operations.