You’ve probably heard of the General Data Protection Regulation, or GDPR. But does your business meet the compliance requirements?
If you think it doesn’t, you’re in good company.
GDPR became law on 25 May 2018. But, over nine months later, only 29 percent of EU-based businesses are fully compliant. And this despite the majority being aware of the law and its implications (and yes, those implications include the risk of fines).
More importantly, while you might think GDPR doesn’t apply to you if you’re US-based, this isn’t necessarily the case. If people located in the EU can access your website, GDPR applies.
With this in mind, here’s a look at GDPR’s most important principles and what they mean for your small business. We’ll also walk you through the steps you need to take to get on the road to GDPR compliance.
What is GDPR and what does it mean for small businesses?
GDPR standardizes data protection laws across the EU and attempts to bring them in line with current technology. More importantly, it aims to:
- Protect individuals’ privacy
- Give them more control over their personal data
- Prevent businesses from gathering personal data without permission or another lawful reason
- Punish businesses that misuse personal data
If you’re a small business — well, any size business, for that matter — GDPR means you’ve got a whole new set of legal duties to comply with.
For starters, the law gives individuals the right to ask businesses to:
- Confirm what personal data they hold about them
- Explain where that data is being stored and for what purposes
- Provide them with an electronic copy of the data, free of charge
- Stop sharing the data, make sure third parties stop using it and delete the data. This is called the right to be forgotten
More importantly, GDPR creates ‘privacy by design’. This means that:
- Businesses have to collect the least amount of personal data necessary for their purpose. Have a contact form on your website? If a person’s name and email address are enough to contact them, your form shouldn’t collect information about their age, body type or gender.
- Unless you have other lawful grounds to process data, you need the person’s express and specific consent. You can’t add a person to your mailing list just because they gave you their business card. They have to specifically agree to be on the mailing list.
Which business does GDPR apply to?
GDPR applies whenever a business collects or tracks the personal data of an individual who is physically located in the EU.
The law defines personal data as “any information relating to an identified or identifiable natural person.” In other words, data is personal data — and, so, protected by GDPR — if it can be used to reveal an individual’s identity. This includes:
- Personal information such as name, age, date of birth, country of birth and country of residence
- Photos or videos
- Documents and forms
- An IP address or specific website settings
More to the point, the law covers both online and offline collection and tracking. So, GDPR applies equally whether you use CCTV to monitor your office or Google Analytics to gather data on who visits your website.
The European Data Protection Board has stressed that the person’s nationality and status are irrelevant. If the person was physically present in the EU when their personal data was collected or tracked, GDPR applies. It doesn’t matter if the person is an EU citizen, an EU resident or simply a tourist.
More importantly, a business doesn’t have to be physically present in the EU for GDPR to apply. If people can access your website from the EU, that’s enough. You’ll have to comply with GDPR’s requirements.
Falling foul of GDPR can result in hefty penalties. Your business could get fined the greater of 4% of your annual turnover or €20 million (about $23 million) if you’re in breach.
Are small businesses and sole traders exempt from GDPR?
No, they aren’t. GDPR applies whenever a business collects personal data from a person located in the EU. This holds true whether you’re a one-person operation or have offices on six continents.
That said, you don’t have to keep a written record of your data processing activities if you have fewer than 250 employees, unless:
- Your data processing activities could affect individuals’ rights and freedoms
- You process data covered by GDPR article 9. This is data that reveals an individual’s:
- Race or ethnicity
- Political, religious or philosophical beliefs
- Trade union membership
- Genetic or biometric data, or data about the person’s health or sexuality
- You process personal data covered by article 10, that is data relating to criminal offences and convictions
- You process personal data on a regular basis
Many small businesses and sole traders won’t fall under the first three exemptions.But what about the fourth one? The Belgian Privacy Commission has suggested not all data processing is “regular”, even though you might do it daily. According to this interpretation, you needn’t keep records of personal data you use for placing orders or communicating with clients, for instance. But a position paper by the Article 29 Working Party — the European Data Protection Board’s predecessor — seems to suggest you should interpret “regular” literally. And the European Data Protection Board has agreed. Because the position is so unclear, it’s a good idea to keep records, even if you think you’re exempt. Better safe than sorry.
Does GDPR apply to US companies? How does it affect them?Yes. GDPR applies to US companies if they:
- Do business in the EU
- Don’t do business in the EU, but collect or track personal data belonging to people who are physically located in the EU (this includes people who are travelling in the EU but don’t normally live there). You may be doing this without even realizing it. For example, if your website’s cookies could be used to identify an individual, they count as personal data under GDPR
- Comply with GDPR anyway
- Restrict access to your website, so it can’t collect personal data from people located in the EU
How do I comply with GDPR as a small business?Putting your small business on the road to GDPR compliance isn’t as difficult as you might think. Here’s a GDPR compliance checklist to start you off.
1. What personal data do you collect?You should know what personal information you collect and whether any of it is sensitive, that is whether it falls under the categories in GDPR articles 9 and 10. You should also ask yourself:
- Where is the information coming from?
- Why are you collecting it?
- What are you doing with it?
2. Do you have consent?Unless you have lawful grounds to use personal data, individuals must give their consent. This must be:
- Freely given
- Keep a written record of people’s names and the personal data you hold on them
- Record their consent, specifying what they’ve consented that you use their data for (for instance, to receive your monthly newsletter)
- Give people an easy way to withdraw their consent should they change their mind (for instance through one-click “unsubscribe” scripts)
3. Is the data safe?Your business is responsible for the personal data you collect. And you risk getting fined if it falls in the wrong hands. So:
- Use encryption software when storing or transmitting personal data online
- Secure your network. Careless employees are the leading cause of data breaches, so a solid IT policy is a must. You should also invest in security software, including a firewall
- Check your suppliers for GDPR compliance
4. What if there’s a serious breach?You have to report serious breaches to the regulator within 72 hours, or risk being fined. Make sure you have reporting procedures in place. And, more importantly, train your employees to:
- Be aware
- Understand what a serious breach is
- Recognize red flags