- Like
- Digg
- Del
- Tumblr
- VKontakte
- Buffer
- Love This
- Odnoklassniki
- Meneame
- Blogger
- Amazon
- Yahoo Mail
- Gmail
- AOL
- Newsvine
- HackerNews
- Evernote
- MySpace
- Mail.ru
- Viadeo
- Line
- Comments
- Yummly
- SMS
- Viber
- Telegram
- Subscribe
- Skype
- Facebook Messenger
- Kakao
- LiveJournal
- Yammer
- Edgar
- Fintel
- Mix
- Instapaper
- Copy Link
You’ve done it; you’ve made the plunge. You have left the corporate sphere behind and started your own small business. A new world awaits, full of potential. However, there are also pitfalls waiting around the corner. A business plan and financing are just the start of the journey. Once your business is set up and (hopefully) attracting customers there are several things to bear in mind. In our digital age, chief among these is customer data and information.
Online privacy is a timely issue, with corporate giants such as British Airways and McDonald’s suffering data breaches and, as a result, being accused of carelessness with their customers’ secure information. A small business is unlikely to encounter issues on the same scale as these world-renowned companies, but big or small, any amount of customer data must be protected – and small businesses can be punished for breaching regulations.
A Hastings-based UK business, ColourCoat Ltd, was fined £130,000 in June 2021 after many marketing calls were made using customer’s contact details. The framework that businesses must adhere to is the General Data Protection Regulation – or GDPR. A small business owner can use a DPIA GDPR (a Data Protection Impact Assessment of GDPR) to ensure compliance.
Table of Contents
What is GDPR?
The European Union established GDPR in May 2018 to ensure the methods businesses use to process the data of EU residents are secure. Since the United Kingdom left the EU, a UK-specific version of GDPR has been in force (but it actually mirrors the EU’s existing GDPR). It is easy for small business owners to become overwhelmed by these regulations, but you must follow them.
According to gdpr-info.eu, the maximum penalty for breaching GDPR could be 4% of annual global turnover, or 20 million euros, whichever is higher. With massive and potentially ruinous financial penalties for your business, you and your employees must know what data needs to be protected and how to do so. This is where a DPIA can be used to assess the impact of when, where, and how customers’ data is being processed and used.
What is a DPIA?
The Information Commissioner’s Office (ICO) is in charge of enforcing breaches of GDPR. In their own words:
“A DPIA is a way for you to systematically and comprehensively analyze your processing and help you identify and minimize data protection risks. DPIAs should consider compliance risks but also broader risks to the rights and freedoms of individuals, including the potential for any significant social or economic disadvantage. The focus is on the potential for harm – to individuals or society, whether physical, material, or non-material. DPIAs are a legal requirement for processing that is likely to be high risk. But an effective DPIA can also bring broader compliance, financial and reputational benefits, helping you demonstrate accountability and building trust and engagement with individuals.”
You must perform a DPIA if your business processes people’s data that is “likely to cause a high risk to the rights and freedoms of individuals.” This is unclear in and of itself, given that it is the aim of the DPIA itself to find this out. With this definition, it becomes more of a case of raising awareness within your business about the potential of any sensitive data being breached. This can then be split into two areas: the probability that the processes themselves within the business could lead to a violation, and then, on top of this, how dangerous or impactful a data breach would be to the individuals involved.
Do I Need to Perform a DPIA?
Businesses, by their very definition, involve financial transactions. The financial data of customers is sensitive and potentially damaging if breached. This often refers to large sums of money, such as mortgage applications, but can apply to a small business if any form of credit check is required when dealing with customers.
Similarly, if your business deals with sensitive personal information, including gender, sexuality, or ethnicity, a DPIA is a requirement. This also applies to health data, often used in medical businesses or on wearable technologies. A DPIA is also strongly recommended if your business tracks potential customers’ physical location or browsing history.
Several recent case studies show companies/businesses/charities’ inability to keep data safe. Hackney Council inadvertently shared the information and addresses of vulnerable women and children living in hostels, clearly putting them at risk. Similarly, Mermaids, a charity supporting transgender youth, failed to keep its user’s data secure, having not performed a DPIA or training employees in following GDPR. Despite being a small charity and employing under 20 people, Mermaids were fined £25,000. This makes it clear that the size of your business is largely irrelevant, with even a small venture being run from home, for example, at risk of punitive measures if a DPIA is needed.
Complying with GDPR Using a DPIA
After deciding whether a DPIA is necessary, there are several steps to take, as recommended by the ICO. You must analyze the “nature, scope, context, and purpose” of the processed data. Under GDPR, customers have the right to access their data. For this reason, it is important to know what data is being processed, how sensitive it is, and why it is being used. It is important to disclose the necessity and relevance of the information being used by your business under GDPR law.
You must identify potential risks that already exist within your company and, if data were to be breached, how this would impact those affected. For example, for marginalized people, their mere identity being released may put them in immediate danger. Some final protocols to tighten data security may include training staff and reducing data collection to vital information only. A DPIA does not have to be a lengthy or costly process, but it is important to be vigorous and thorough to avoid any breaches of GDPR for your small business.
- Like
- Digg
- Del
- Tumblr
- VKontakte
- Buffer
- Love This
- Odnoklassniki
- Meneame
- Blogger
- Amazon
- Yahoo Mail
- Gmail
- AOL
- Newsvine
- HackerNews
- Evernote
- MySpace
- Mail.ru
- Viadeo
- Line
- Comments
- Yummly
- SMS
- Viber
- Telegram
- Subscribe
- Skype
- Facebook Messenger
- Kakao
- LiveJournal
- Yammer
- Edgar
- Fintel
- Mix
- Instapaper
- Copy Link