I'm an employed consultant, bu I also have a side business in Sweden were I'm a sole owner of a film production company. This is the reason why I have to solve how to handle GPPR for myself, and not only for larger clients.
What I found out recently is that the knowledge about GDPR in smaller companies is more or less non-existent, and some of the industry associations are neither so well informed of the consequences of the new legislation.
As a small business owner, it's your responsibility as well as the CEO of a larger company, if you collect sensitive personal data.
To solve my own issues with GDPR, I take an enterprise architecture approach, and define four different business use-cases as a starting point for the preparations. The question is how you should act after GDPR is in place in May 2018 in each of these for cases?
The four different business use cases are
What I have to do is find out how legislation impacts my workflow and storage of personal information in each case. Does it sound familiar?
Business use-case for street photographer
You have a professional business, and have a large number of photographs taken at a Pride festival in Stockholm (a public place). When people can be identified and Pride is about sexual orientation and opinions about this, I think the images can be considered as sensitive personal data.
Business use-case for wedding photography
You are a professional photographer and a year ago you had a mission to photograph a wedding.
Now the groom comes and says he wants all the pictures from the wedding, and refers to the right to transfer personal data in GDPR.
Two days later comes a very upset bride who talks that they are in divorce and she wants all the pictures from the wedding to be erased, with the right to be forgotten in GDPR.
Business use-case for an employed professional photographer
You are photographing mothers and children as a hobby, and your are invoicing through a company that pays your salary.
One day, you will receive an email from someone who tells you that he copied your entire image archive in a security breach at your home, and threatens to publish all images online if you do not pay a random. He also sent some pictures of minors you’ve taken to show that you that he is serious.
Business use-case as a film producer
You own a production company that produces a feature film. You have both employed and hired self-employed persons from several Nordic countries.
Now, the financiers of the movie want to find out how to make sure you follow GDPR, in order not to get some unpleasant surprises that can delay or increase cost for the movie, and in the worst case prevent distribution of the movie.