Once you have completed your Readiness project you will have all the documentation you need to acknowledge, investigate, record and if necessary report a data breach.
A breach will occur because something has gone wrong. The simpler your processing and the higher your level of understanding what the processing is, the less likely it is that something will go wrong.
As a small business with relatively few customers, the chances of you being responsible for spilling personal data belonging to thousands of people are remote. However the chances of you losing small amounts of very precise, personal data are still there. You need to take steps to reduce the risk of a data breach and record what you did. Remember, a data breach could be as simple as losing your paper booking diary in a flood. Whether this would be a notifiable breach is another matter. You can decide for yourself using the Breach notification in your membership documentation.
For simple, paper based data processing, the mitigating actions should be equally simple. The GDPR states that methods used should be “appropriate” and “proportionate”.
For example for a paper diary based booking record system, you staple the booking record on a sheet of A4 to the relevant page in your diary. If you just leave it lying around on the kitchen table, anything could happen to it. The dog could chew it up. Yes I’m being serious. If the dog shreds your business records for future bookings, what are you going to do?
The answer might be to keep the booking diary in a locked drawer. It can be that simple.
You might also go a step further and keep a copy of your reservations in a box file in a locked drawer ow small filing cabinet in a different room. From a simple business continuity point of view, never mind GDPR, that might be sensible.
Where GDPR applies again is regarding how long you keep those records for and how you dispose of them. If you need to keep booking transaction data for accounting and tax purposes, your accountant can advise on what the retention period should be. Time is a risk factor, the longer you keep records for, the more risk they are exposed to.
Disposal should be that the record documents are at the very least shredded.
If you store your business data electronically, there are specific risks of a data breach occurring. Again, whether it is a breach worthy of raising with the ICO depends on what has happened.
Electronic records can be locked down to a point. You can use your own, password protected login to the systems involved. You can (and should) protect that login with “2 factor” authentication. You can create backup copies of your data, store it offsite and encrypt everything.
Should a breach occur with your electronic records it might be as a result of unauthorised access, from within your business or from an outside “hacker”. Or it could be as simple as an unplanned data loss caused by a failed hard drive. It could also be caused by a breach in the systems of one of your data processors.
Your data process mapping will help you to understand why and where data is used. So that should a potential breach be raised with you, you are in a position to respond in an informed, competent manner.