The General Data Protection Regulation (GDPR) is a new European Union (EU) data protection law that came into effect on May 25, 2018. It replaces the 1995 EU Data Protection Directive and strengthens EU data protection rules by giving individuals more control over their personal data and establishing new rights for individuals.
As a small business owner, you may be wondering if the GDPR applies to you. If your business processes the personal data of EU citizens, then the answer is yes. This also includes businesses outside the EU that process the personal data of EU citizens.
In the next few paragraphs, we will go into detail and explore what GDPR is and how it affects small businesses. We will also share some tips on how you can comply with the GDPR checklist as a small business owner. This way, you can avoid any potential penalties and keep your business GDPR-compliant.
So, without further ado, let’s get started!
Table of Contents
What is GDPR?
As we mentioned earlier, GDPR is the General Data Protection Regulation. It is a set of regulations that member states of the EU must implement in order to protect the personal data of individuals. The regulation applies to any company that processes or intends to process the personal data of individuals in the EU, regardless of whether the company is based inside or outside the EU.
Under GDPR, businesses must take measures to protect the personal data of individuals from accidental or unauthorized access, destruction, alteration, or disclosure. They must also ensure that individuals have the right to access information about their personal data, the right to access their personal data, the right to change their personal data, and the right to have their personal data erased.
What is Personal Data?
Personal data is any information that can be used to identify an individual. This includes, but is not limited to, an individual’s name, address, email address, and IP address.
Under the GDPR, personal data must be:
- Legitimate and necessary for the purposes for which it is being processed.
- Accurately and carefully collected
- Processed in a transparent, consistent, and fair manner
- Erased or destroyed when no longer needed and subject to regular monitoring
Controller vs. Processor
Under the GDPR, there are two types of entities that can process personal data: controllers and processors.
A controller is an entity that determines the purposes and means of processing personal data. A processor is an entity that processes personal data on behalf of a controller.
A small business owner would typically be considered a controller because they are the ones determining why and how their customers’ personal data is being processed. However, if you use a third-party service to process your customers’ personal data (e.g., QuickBooks Online), then that third party would be considered a processor while you would be considered the controller.
Obligations of Small Businesses Under GDPR
If you are a small business owner processing the personal data of individuals in the EU, you have certain obligations under GDPR. These obligations include:
- Getting explicit consent from individuals before collecting, using, or sharing their personal data
- Clearly informing individuals about your privacy practices
- Giving individuals the right to access their personal data
- Allowing individuals to correct inaccuracies in their personal data
- Implementing security measures to protect personal data from unauthorized access or disclosure
- Deleting personal data upon request
Why Should Small Business Owners Care About GDPR?
Small business owners should care about GDPR because failure to comply with the regulation can result in significant fines. The maximum fine for non-compliance is 4% of a company’s global annual revenue or €20 million (whichever is greater).
In addition, small business owners may be required to disclose any data breaches that occur within 72 hours of becoming aware of the breach.
How Small Business Owners Can Become Compliant With GDPR
There are a number of steps that small business owners can take to become compliant with GDPR. These steps include:
1. Appointing a Data Protection Officer
A Data Protection Officer (DPO) is responsible for ensuring that a company complies with GDPR. The DPO must be appointed if the company processes large amounts of sensitive personal data or if the company’s core activities involve processing large amounts of personal data.
2. Conducting a Data Audit
A data audit will help you identify what personal data you hold, where it came from, and who has access to it. Once you have conducted a data audit, you can then put in place measures to protect this data from accidental or unauthorized access, destruction, alteration, or disclosure.
3. Putting in Place Contracts With Third-Party Processors
If you use third-party processors to store or process personal data on your behalf, you must have a contract in place that sets out your obligations under GDPR. This contract must be made available to the individual upon request.
4. Implementing Procedures for Data Breaches
You must have procedures in place for dealing with data breaches. These procedures should include notification requirements and timeframes for notifying individuals and supervisory authorities in the event of a breach.
5 . Implementing Procedures for Subject Access Requests
You must have procedures in place for dealing with subject access requests from individuals who want to know what personal data you hold about them and why you are processing it. These procedures should include timeframes for responding to requests and providing information about an individual’s right to object to processing where applicable.
As a small business owner, it’s important that you understand the basics of GDPR and take steps to ensure compliance with the new regulation. By following the steps outlined above, you can help keep your business compliant with GDPR requirements.
Do you have any questions about GDPR compliance for small businesses? Let us know in the comments below!