The European Union’s General Data Protection Regulation (GDPR) has just been officially implemented, and it’s certainly made huge waves throughout Europe and the rest of the world when it comes to data privacy and information security. However, the GDPR appears to goes beyond privacy issues, and may actually in fact affect businesses all throughout the world. How is the GDPR going to affect small businesses?
GDPR, EU, And Small Businesses: The Bare Basics
For small business with dealings in the EU, one might think complying with GDPR regulations shouldn’t at the top of their to-do lists. After all, with a policy so large as the GDPR, it should only apply to large businesses and conglomerates that conduct businesses overseas, right? As a small business with less than 250 employees, surely this shouldn’t affect other kinds of businesses at all, right?
Not exactly – the GDPR was designed to be one of the most far-reaching and largest global data privacy laws to boot. All businesses with dealings in the EU should be GDPR-compliant, especially since its enforcement last May 25, 2018. This applies to all companies that handle consumer data of EU citizens – this is regardless of the country where the company has come from, regardless of its industry, and regardless of its size.
The GDPR was originally proposed in 2012 to make sure consistent data privacy laws are created across EU member states. For the curious, provisions of the GDPR specifically state that:
- Anyone – even third-party entities – involved in processing data that involves EU consumers can be found liable for privacy breaches.
- When a person specifies that they don’t want their data to be processes, said data must be deleted immediately.
- A data protection officer must be appointed for all companies that collect and process sensitive or personal data on a large scale.
- If a company or organization detects a breach, they are to notify national authorities immediately – within 72 hours – especially if it’s a serious data breach.
- Parental consent is required for children under a yet-to-be-specified age group when using social media apps.
- Individuals now have a right to something called data portability, which now allows them to transfer their data much easier between different devices.
Bracing Ourselves For GDPR
Perhaps what’s interesting about GDPR now is its compliance requirements that even small businesses should follow. Regardless of your country of origin, if you plan on making your business ready for EU audiences, you should be able to prepare your small business for GDPR. Here’s what you need to do:
- Understand just what sorts of data will be handled by your business: Before you decide to venture on GDPR, decide on the kind of data your business is handling in the first place. Try to check whether or not the data you want to handle are considered sensitive – and if they are, how will you use them, how long will it be stored, where will it be stored, and what are your proposed security measures? Data such as banking details, health history, email addresses, and names all have their own data “levels,” so you need to be careful when handling them.
- Recheck your security measures and make sure they are GDPR-compliant: Regardless of whether or not you have to make security policies and measures or you already have them, make sure your security measures have practices that are GDPR-compliant. It’s recommended you start relying on encryption as it can help your business avoid fines should there be a data breach.
- Anticipate data access requests and notices for fair processing: Policies in the GDPR needs companies to make sure customers have the right to have their data accessed, to have them correct data that’s inaccurate, and to object the processing of their data. They also have the right to ask their data to be deleted. These requests must be completed and processed within a specified time frame. It’s best you study fair processing notices in order to help customers understand what kind of data is accessed.
- Make sure your consent process is transparent, specific, and clear: Your customer should be able to choose if they want to be in your mailing list and even control just how exactly you’re allowed to use their data. The GDPR stipulates that there should be separate request forms for consent and different from terms and conditions. These forms should also have a positive opt-in where users can approve their inclusion in the mailing list. However, you’re not allowed to use the data unless its users were specifically informed about what’s going to be done to their data.
You May Also Like: