GDPR compliance is an investment, potentially significant for a small business, and it needs to be rationally planned.
Why Invest in GDPR Compliance?
Investing in GDPR compliance is driven by business needs rather than fear of fines. Large corporate clients, activist customers or employees, risks of a breach, or abundant requests usually push companies into such an investment. Smaller businesses need to identify the parties driving their compliance efforts, prioritize them, and focus on the most critical aspects of compliance to keep costs under control.
Where Should You Invest First?
A lot can be done to comply with the GDPR, but usually, much less must be done in practice, and in a certain order. The GDPR is not a black-or-white, compliant-or-not certification as many other compliance requirements are. The GDPR comes with a lot of gray zones, and companies can choose the level of accepted non-compliance risks.
For example, think of a company that serves several large corporate clients as a vendor (processor). It may invest in its Data Processing Agreement, well-described security measures, automated support in handling data subject requests, inventory of sub-processors, and evidence of employee training because these aspects are requested by the privacy departments of the clients. It may be minimally compliant on other aspects, such as having a basic website privacy policy, or have grossly aggregated records in the records of processing activities.
Ongoing Activities
How to keep you compliant?
GDPR compliance is a continuous process, and after the initial setup, you would need to periodically review it and adjust, often, annually.
It would also involve operational activities to manage your compliance gaps, risk mitigation efforts, perform breach registrations, contract and vendor changes, respond to requests of individuals. These activities are best supported with appropriate tools, such as PrivacyDocs.
Documentation
GDPR documents to keep
Documenting GDPR compliance and keeping compliance evidence may be more important than compliance itself. Most GDPR compliance requirements refer to documentation or documented assessments, decisions, notices, contracts. For example, not informing individuals about retention periods of a processing makes it non-compliant (although, not immediately illegal).
Businesses are obliged to keep the reality of personal data processing by their systems and manual processes in sync with the promises, notices, policies, contracts and other documents. Individuals may check that through the 'right to know' requests where they may ask companies about a copy of the data that the companies are processing for the purpose of validating legitimacy of the processing. Companies that process personal data as vendors (acting as processors) need to grant their clients (acting as controllers) the right to audit them.
Costs
Costs of compliance
Documenting your GDPR compliance involves certain costs, mostly time. A typical cost pattern is as follows:
- Initial setup spike
- Flat compliance maintenance and improvement. Think of a dedicated employee having a GDPR day once a month.
- Preparation for changes. Think of extra GDPR work required to onboard a new vendor or introduce a new system.
- Respond to breaches. It happens ad-hoc (well, most breaches are not planned in advance) and varies from an hour of work to a company-wide emergency.
Most smaller companies do not focus on personal data processing as their core business. They do not require significant additional investment to stay GDPR compliant, usually at the level of several person-hours per year.
In-house or External
Everyone in the company needs to have a basic understanding of the GDPR, and a 1-2 hour introductory course is a must-have investment. Employees responsible for GDPR compliance would typically invest several days to get basic operational knowledge of the GDPR. To be able to assess and evaluate compliance, an employee would need to spend months devoted to the GDPR.
For many smaller companies, it makes sense to invest in operational knowledge of GDPR for one to two employees and not to invest in developing professional GDPR compliance expertise in-house.
Such an employee, supported by the PrivacyDocs toolkit, can perform 90% of compliance tasks or more. An external specialized GDPR consultant would then only be needed to bring confidence in the state of compliance (to review the documentation), answer questions, conduct assessments, and help with personal data breaches.
PrivacyDocs
The PrivacyDocs offering is a tool specifically targeted at companies that have someone with basic operational GDPR expertise in-house. This person, supported by the specialized PrivacyDocs toolkit and occasional help from our GDPR consultants, could ensure compliance. This setup would also limit compliance costs, as external consultants tend to be more expensive than in-house staff and may develop GDPR compliance in a very detailed level.