How does GDPR compliance differ for large and small businesses?
Datatilsynet has just launched a "GDPR universe for small businesses" - but what really is the difference between whether you are a large or small business when it comes to complying with the rules in GDPR.
The guide generally consists of 7 points: GDPR universe for small businesses (datatilsynet.dk)
- Step 1: Create an overview
- Step 2: Ask yourself “why?”
- Step 3: Remember to delete
- Step 4: State that you are processing personal data
- Step 5: Make sure you have good procedures
- Step 6: Remember safety
- Step 7: You are also responsible when you share
If you have mastered the 7 points, you are ready for e.g. an inspection or a customer inquiry regarding GDPR. This conclusion applies whether you are a large or a small business.
Two key elements can be highlighted that make compliance with the GDPR different for large and small companies, and which make it "easier" for small companies to comply with the GDPR:
- Complexity/fragmentation in work processes,
- Understanding and acceptance of "wrong" assessments.
Complexity/fragmentation in work processes
The larger the scale, the more complex. This is how things often stay - or at least "look". Therefore, mapping and operating a compliance program in a large company requires proportionately more resources, because the necessary knowledge about the data flow in the company's many IT solutions and business processes is spread over many different employees.
In a smaller company, the processes are often more manageable, and there will typically be one person who can describe all relevant data flows and processes. This element makes compliance with the GDPR easier for the smaller companies.
Understanding and acceptance of "wrong" assessments
It is Datatilsynets explicit position that if an honest effort has been made to comply with the data protection legal rules, it counts positively in their assessment. This means that a large company with lawyers employed is more likely to make correct assessments.
If you, as a small business, can show that you have made an honest effort to follow the rules, a possible incorrect assessment with an overwhelming probability not to be sanctioned with a fine. However, the opposite may be the case if you have deliberately disregarded the rules. Therefore, our recommendation is that you at least make an honest effort.
How small businesses comply with GDPR
Most importantly: It is a manageable task!
Acquire an IT solution that is designed to manage and keep an overview of the above 7 steps (compliance system). Such a solution can be obtained for between DKK 500 and DKK 1.000 per month. Then appoint an employee - possibly yourself – as responsible for carrying out GDPR-related tasks.
The compliance system is designed to help you map and document relevant information about the processing of personal data. As a small business, it shouldn't take long to create an overview of the processing activities.
In connection with the mapping, various assessments must be made about e.g. processing basis, risks associated with the processing activity and deletion rules. In that context, you make your best assessment and write down your considerations - and then no more. You should not get hung up on the details, but instead use your common sense.
Once the initial work has been done, there will be an ongoing task of keeping descriptions and assessments up to date as well as actually complying with the "rules" about e.g. deletion, which is defined in connection with the mapping. For this purpose, internal procedures and controls can advantageously be drawn up that ensure compliance on an ongoing basis and that in the event of major changes in data flow – e.g. in connection with the purchase of a new HR or CRM system, introduction of new marketing media etc., the information in the compliance system is updated.
Rounding
The above post tries to dramatize GDPR compliance for small businesses as a huge and unmanageable task. If you have made an honest effort to comply with the 7 points above, you do not need to "fear" inquiries from Datatilsynet, customers or business partners about GDPR.