Small Business And GDPR: What You Need To Know

The world has changed, and today, businesses of all sizes are operating at an international level rather than just their own “home patch”. If you’re in the US or another location outside of the EU, you might think that GDPR is a headache for EU companies and huge corporations like Google… but you’d be wrong.

GDPR is the General Data Protection Regulation, and replaces an older EU directive called Data Protection Directive 95/46/EC. The change was effected to give EU citizens comprehensive personal data protection and prioritizes the security of their data, no matter where they are in the world and who has their data.

Since 25 May 2018, it has been law, and if your business stores, handles, or processes personal data of anyone who lives in the EU, then you need to comply. Even if you’re just collecting or processing that data, you need to comply.

In short, it’s not about you, it’s about your EU customers. And, chances are, you have at least one on the books. That makes you liable – even if you have less than 250 employees. The EU is not interested in your company, just the personal data of its citizens. In fact, if you are over a certain size then you may need to appoint a DPO (Data Protection Officer) or even team. Unless you already operate with hundreds, you’re likely OK in this area though.

SO, what happens if you violate GDPR? Well, it’s not pretty.

• 2% of your global turnover (per annum) or €10m for
o Not having a good record, or neglecting to keep your records in order
o Not revealing to customers and your authorities when a data breach occurs
o Not having conducted a privacy impact assessment

Or,

• 4% of your global turnover (per annum) or €20m for
o Breaching your customers’ data rights and freedoms (e.g. data loss)
You have just 72 hours in either case to reveal the breach – and if you don’t, you will be fined.

Basically, there’s one thing that matters now: privacy, and it’s your job to take it seriously and ensure that anyone who uses your system has safe and secure data. Obviously, an audit is the best first step in this case. Some good questions to ask include:

• Where is your data stored
• What format is your data stored in
• Is your data in one place, or spread out over multiple places
• Why are you storing people’s data
• How did you acquire this data
• Do you have permission to store, change, or delete this data
• What exactly is the data
• Is your data encrypted and secure
• Can users access their data upon request
• Can your data be accessed by a third party

As you can see, these questions are all focused on the data – nothing more and nothing less. If you only have one customer in the EU, then you need to ensure that your data is watertight. However, it is simpler to make your whole business GDPR compliant, as it is likely that other countries and regions may follow suite in the future – while this is a headache to deal with, it’s ideally a headache that you only deal with once!

Ultimately, GDPR is a good move forward in the global society, and it is up to businesses to make sure they’re on the right size. There are a growing number of tools and apps to help you do so easily, so check them out!