GDPR for Small Business Owners: What You Need to Know about Data Privacy
It’s been a couple of months since the infamous European Union regulation, GDPR, went into effect. At the time, the implementation of GDPR was a hot topic of debate and analysis throughout the business world. In recent months, however, GDPR has been out of the spotlight, but that doesn’t mean it’s gone away.
This week, Nieman Lab reported that more than 1,000 U.S.-based news sites have been blocked in Europe for failure to comply with GDPR regulation. Businesses large and small, no matter the industry and throughout the world, may be subject to these data regulations too.
What is GDPR, Anyway?
The General Data Protection Regulation (GDPR) is a European Union-wide set of data protection regulations enacted in 2016 and enforced on May 25, 2018. In the EU, GDPR supersedes national laws on data privacy, creating the most sweeping privacy law to date.
Although GDPR is an EU regulation, it applies far more broadly than the borders of Europe. GDPR is designed to apply to all companies in EU countries as well as all foreign companies that do business in Europe.
Who is Subject to GDPR?
In general, all companies throughout the world are subject to GDPR if they have employees or customers in Europe. More specifically, the regulation applies to companies that handle data belonging to consumers who are located within the EU. If this seems incredibly broad, that’s because it is -- GDPR applies to any company involved in processing or using this data, which includes the companies using data in their business practices, third-party entities involved in data processing, and even companies that simply send e-newsletters with subscribers in Europe.
Keep reading if your U.S. company is currently (or may in the future be) involved in
- E-commerce that ships to Europe
- Hiring freelancers who are based in Europe
- Sending e-newsletters with company updates and offers
- Relationships with third-party vendors based in Europe
What Does GDPR Require Companies to Do?
Safeguard Customer Data
At its most broad, GDPR requires companies to safeguard consumer data. Of course, the specifics of this regulation are far more complex. Among other protections, GDPR requires that companies
- Allow customers to view their data, make changes to their information, and delete stored data
- Make data policies transparent and understandable to the average consumer
- Provide notice of data breaches to national authorities within 72 hours
- Hire a Chief Data Officer (for companies collecting consumer data on a larger scale)
“Personal Data” Under GDPR
Under GDPR, a consumer’s personal data that must be protected is defined very broadly. “Personal Data” is any data directly or indirectly related to an identified or identifiable natural person (“data subject”). This can include obvious identifying information, such as name, identification number, address, web location, IP address, cookies, and user name. However, personal data also encompasses identifiable information, including physical descriptions of a person or physiological, genetic, health, economic, cultural, racial, or social identifiers.
Special Categories of Data
Some companies handle especially sensitive data in the regular course of business. GDPR’s rule vary depending on the data in question. Companies that touch special categories of data such as medical records and children’s data have to be especially careful and should consult an attorney.
Controllers v. Processors of Data
GDPR refers to two kinds of companies: the controller and the processor. A controller company determines the purposes and means of processing data and is responsible for ensuring that any third-party processors it uses comply with GDPR. If your company is a controller, take a look at the Controller’s Checklist put together by the UK’s Information Commissioner’s Office. A processor company processes personal data on behalf of a controller. These are often third-party companies that maintain records of personal data and processing activities. Although these companies do not control the ultimate use of data collected, they do bear the legal liability for breaches. To bring a processor company into compliance with GDPR, use the Processor’s Checklist.
So What? Why Should I Worry about GDPR?
Some laws are aspirational and don’t really have an enforcement mechanism. GDPR is not one of those laws. The most serious violations (which can be knowingly committed or accidental oversights) are punished with a fine of either 4% of the company’s worldwide revenue or $20 million Euros, whichever is greater.
Don’t panic yet! These penalties are not likely to go into effect right away, and when they do, it is generally accepted that enforcement action will be taken against larger companies first. Regulators will also likely take a good faith effort to comply with GDPR into account when assessing compliance, so it is essential that you keep a record of all efforts made to comply with GDPR.
However, there are reasons to bring your company into compliance with GDPR even if the immediate threat of serious fines is slightly reduced for smaller companies. Handling customers’ information responsibly makes good business sense. Being transparent about your privacy policies and communicating changes to customers can improve your business’ reputation and enhance consumer confidence. It is also likely that GDPR is the future of data privacy. As breaches continue to occur and more and more businesses move into the virtual space, US regulation will quickly catch up. You might as well be ahead of the curve!
How Can I Get My Small Business into Compliance with GDPR?
GDPR is such a complex set of rules that it has sparked an industry of consultants who work with companies to bring them into compliance. However, they can be incredibly expensive, and they may not be necessary if your company handles relatively small amounts of data and is not regularly conducting business in Europe. There are relatively simple changes you can make to bring your small business into compliance.
STEP 1: Does your organization have fewer than 250 employees?
The GDPR broadly expects all small and medium-sized enterprises (SMEs) to comply in full with the Regulation, but it makes some exceptions for organizations that have fewer than 250 employees.
For example, Article 30 of the Regulation states that organizations with fewer than 250 employees are not required to maintain a record of processing activities under its responsibility, unless “the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data […] or personal data relating to criminal convictions and offences”.
STEP 2: What Data Does Your Company Control?
First, take a look at what kind of information your company collects and controls. Do you have
- Email Addresses
- Bank Details
- Health History
Take stock of what information you currently have stored about your customers and what information you are actively collecting about customers during the course of business.
STEP 3: Where and How is Data Stored?
Where is this information stored? Do you still use it? When you collect data, is it for a specified and legitimate business purpose? A good rule of thumb is, if you have customers’ private data and you aren’t using it for a valid business purpose, go ahead and delete it. If you do use the data you store (for example, if you keep an email subscription list or store repeat customers’ addresses), make note of how and why you store this information.
STEP 4: Review Your Data Processing Procedure
Take a look at how you process data. Do you engage a third-party processor? If so, review their policies and make sure that they are lawful, fair, and transparent. Data should be used in a way that offers adequate security, ensures accuracy, and only keeps identifying information for as long as is necessary for the purposes of processing.
STEP 5: Create and Implement a Data Collection and Protection Policy
All companies, whether GDPR applies or not, should have a data collection and protection policy. This policy should detail
- What kinds of personal information are collected
- For what purpose information is collected
- Where and how personal data is stored
- How long personal data is stored
- Measures taken to delete or render data non-identifiable
- Relationships with third-party processors and the responsibilities held by the processor and the controller
Once a data policy has been developed, it should be made available to all customers on your company’s website and upon request.
STEP 6: Develop a Consent Policy
A consent policy should be separate from the data collection and protection policy and should be separately displayed on your company’s website. Under GDPR, consent to collect personal data should be explicit, clear, and specific, and it needs to be positively opted into by every customer. This means that a consent policy cannot simply be wrapped into other terms and conditions, and customers must affirmatively click “Yes” or “Agree.”
If you use a mailing list or send electronic communications, make sure that customers have the option to choose whether to be on a mailing list and to control how your company uses their contact information. Under GDPR, opting into a mailing list does not give the company permission to use the customer’s data for any other purpose, unless clearly outlined. In all communications with customers, it should be clear how to withdraw from your company’s database. Data consent should be regularly reviewed. You can schedule regular checks with subscribers to ensure individuals wish to remain on your mailing list.
STEP 7: Prepare for Data Access Requests and Train all Employees
GDPR provides that customers have the right to access their data, make updates, object to their data being processed, or completely erase their data from a company’s database at any time. Data access requests must be complied with in a timely manner. It is recommended that you train all employees on your data collection and protection policy as well as your consent policy to ensure compliance and prepare employees to respond to customer requests.
Get Help from an Experienced Chicago Business Attorney
If GDPR has you stressed, don’t worry! There are plenty of resources available to ensure that your company comes into compliance and your customers’ data is protected. For help looking at whether GDPR affects your company, drafting data privacy policies, and coming into compliance, feel free to reach out to Alexis Hart McDowell, Enterprise Esquire, to learn more.