Here’s What Small Businesses Need to Understand About GDPR
By Ryan Bradman
If you’re a small business owner, chances are GDPR affects you. After all, even if you’re selling (or marketing) to a single customer from the European Union, you’re bound to comply with GDPR. This guide helps small business owners understand GDPR without investing a lot of their time.
What is GDPR?
In April 2016, the EU enacted the General Data Protection Regulation, a legislation that is better known by its acronym GDPR. The new law came into effect in May 2018. It is a privacy law that replaces an older directive from 1995.
The importance of GDPR stems from the fact that it provides the template from which all other countries are drawing up their own data privacy laws.
What is Personal Data?
GDPR allows EU citizens more rights over their personal data. Personal information details, which was once limited to hospital records and tax returns are now in the hands of banks, social media sites, online stores, and myriad other businesses.
Nearly every service requires data about your name, age, address, phone number, education, and much more. Also, there’s geo-location data from our always-on smart device as well as emails, biometric data and much more. More troubling is browsing history that offers deep insights into a person’s thought process and third party cookies in browsers that can track this information.
Personal data is not strictly defined in GDPR. It is outlined as all data that can lead to personal identification and includes all of the above.
When sensitive data was stored as hard copy, it was not easily accessible, but now a hacker can access confidential information quite easily.
What does GDPR want?
GDPR places two principal obligations on anyone who collects data (including the government) –
- Any personal information has to be collected lawfully with consent
- Anyone who holds the data must provide enough security so that it does not fall into the wrong hands
It leaves out the meaning of personal information and what level of protection is considered ample. Many of the core articles are open to interpretation by the judiciary.
At this moment, all that is clear is if you have data about any person residing in 28 EU nations, you have to ensure its safekeeping.
Important Articles of GDPR
GDPR has 11 Chapters and 99 Articles. The most impactful are these –
- Article 17 requires that businesses immediately delete data if you opt-out as a customer/user.
- Article 18 requires compliance if someone requests limits about how their data can be used.
- Article 32 requires that data be suitably protected.
- Article 33 requires that any breach of security be immediately notified.
- Articles 37-39 set out the role and tasks of the Data Protection Officer.
How To Achieve GDPR Compliance?
GDPR compliance is required by all businesses that have a citizen of an EU country as a user or consumer. Thus if you run a health and yoga blog from Auckland and someone from the EU has signed up for your newsletter, you need to comply with GDPR.
If you are actively involved in collecting data about personal details then you may need a Data Protection Officer or at least recommendations of GDPR-compliance consultant.
Some of the necessary steps of compliance are –
Audit of stored data
The questions to answer are
- What type of data has been collected?
- How long has the data been retained and for what purpose?
- Is it necessary to continue to store it or should it be erased?
- If it is stored then should access to it be limited?
- What is the process for limiting such access?
Check Service Providers Processes
This is the main problem. Many businesses do not crunch the data they collect but hand it over to the third party for data mining. It would be best if you had data processing agreements with all such service providers to limit your liability.
The tricky part is to understand if your service provider has GDPR compliant processes in place.
A user may demand a copy of their data or want it to be erased. You have to comply with such requests within a reasonable time.
Controller and Processor
Data Controller and Processor are central terms under GDPR.
- The controller has control over why and how data is to be collected and used.
- The processor processes this data according to the demand from the controller.
To give a simple example – if you own a dating app service you might want to know:
- how many users are male
- how many of the above are aged between 25 and 35
- how many of the above are graduates and whether a correlation between educational standards and the use of iOS and Android exists
The processor will crunch the raw data of users, their age, education, and smartphone platform (note that the processor is using raw data from Excel and does not know how it was collected and where it is stored).
Of course, the controller may also be the processor or a controller may employ one or more processors.
Much of the legal onus of being GDPR compliant falls squarely on the controller. If an outside processor fails, then the controller has to face the penalty.
Your role has to be defined by your DPO or GDPR compliance consultant.
Data Protection Officer
Businesses that collect data routinely have to employ a DPO who reports to the highest level of management but is not directed by them.
The role of the DPO is to ensure that every process in the organization is GDPR compliant.
Note that the compliance process is still evolving and there is no set template as yet. Essentially and at the moment GDPR requires all businesses that possess data to be extremely careful about how they collect it, use it and store it.