What small businesses need to know about GDPR

On the 25th of May this year, GDPR comes into effect around the world. It affects all businesses with a presence in the EU – whether you’re headquartered there, or whether you’re just providing services to EU residents over the internet.

Uncharted Territory

The GDPR is a groundbreaking piece of legislation in that it extends globally-enforceable rules for the rights of EU data subjects. No matter where you are in the world, if you’re working with any personal data of an EU resident, you’re potentially liable under the GDPR.

Being a groundbreaker, it remains to be seen how it will actually be enforced in practice. The penalties for breaches are severe (starting at €20 million or 4% of global annual turnover), but are also only defined as a last resort. The real purpose of GDPR is to raise the bar on how personal information is handled by businesses.

Even if you’re a small business, you need to be aware of what the GDPR requires – and put in the effort to comply.

Key Concepts

The GDPR defines 3 key roles in the acquisition and processing of data:

Data Subject
A natural person which can be identified through their personal data. This data can be basically anything: typical PII like name, ID number, email address, or any other data that can be used to accurately identify a person: like physical descriptions, locations, physiological data, genetic data, etc.

Data Processor
“Processing” is any operation conducted on personal data – collecting, storing, analyzing, transforming, transmitting to anyone else, destroying, etc. A Data Processor is the natural or legal person performing the actual work.

Data Controller
The natural or legal person making the decision on what data should be processed, and how.

Broadly speaking, the GDPR intends on protecting the rights of the Data Subject. For example:

  • Subjects need to grant clear, free, informed and unambiguous consent for the processing of their data
  • It needs to be clearly articulated (in simple language) what you’re collecting, and why
  • Subjects should be able to export all their data (Portability)
  • Subjects have the “right to be forgotten” (Erasure)

To this end, the GDPR does not apply retroactively: existing records are not required to be compliant, unless you intend on using them going forward, in which case you need to be sure consent is clear.

Do you need to be GDPR compliant?

The GDPR applies to any processing involving personal data of an EU data subject – even if you’re based completely outside of the EU. It applies whether you’re providing a paid or a free service.

There’s a bit of a gray area when it comes to context. An EU user being able to access your website is not an immediate requirement for GDPR compliance – you don’t need to block the entire EU from accessing your services, in other words.

However, it does apply if your site is demonstrably targeted at an EU audience (for instance, you offer Spanish, French, or other European language translations), you offer goods or services priced in an EU currency, or provide for delivery in the EU. In that case, a reasonable person would conclude you’re trying to market to the EU, and you’d be liable.

What does GDPR compliance mean?

In effect, to be GDPR compliant you need to respect the rights of EU data subjects. GDPR grants a number of new rights to EU citizens. On a high level, they are:

Transparency
If you’re collecting personal data, you need to clearly indicate (in simple, accessible language) what you’re collecting, where you will be sending it, what you will be doing with it, and how long you’re going to keep it.

Right of Access
Users have the right to request information from you on: Whether or not you have any of their personal data, what you have, who you’ve shared it with, what processing you’re doing, where you got it, and for how much longer you’ll hold on to their data.

Right of Erasure (“Right to be forgotten”)
Users have the right to request that you confirm what data they have on you, then delete all of it without undue delay. There are some mitigating factors here (for instance, if you need that data to deliver a service you’re still liable for).

Rights of Objection, Restriction and Rectification
If you’re holding inaccurate or outdated information, the user has the right to ask you to stop processing that data until it is rectified. The user has the right to object to the processing of their personal data – in terms of direct marketing, this means the controller may no longer use the data for that purpose.

Right to Portability
The user has the right to request an export of their personal data from you in a common, machine-readable format (open formats such as text or CSV).

Automated individual decision-making
The user has the right not to be subject to a decision made entirely by automated processing that results in a legal effect. This mostly applies to things like insurance, credit scores and the like.

More details on the specific rights and responsibilities can be found here.

How do you become GDPR compliant?

The road to compliance depends on how big your business is, how complicated the processes are, and how often you review your operations for data best-practices.

IMPORTANT: This is not, and should not be construed as legal advice. Consult a lawyer.

A good place to start is a thorough review of all the ways your business receives and processes personal data, and where all that information is stored. As a best-practice, you should immediately start discarding any data you definitely don’t need – once the services have been rendered and you no longer work with a customer, their data becomes a liability.

Next, review all the entry points for personal data (web forms, inbound emails, paper forms, etc) – make sure that the language is simple and transparent, and that you can clearly indicate contact details for a responsible person in your organization.

Then, make sure that you have a process to honor the rights of Erasure and Portability. If a user asks you for a full export of their personal data, do you have a means to do that? And if they ask for a full delete, can you action it?

Finally, if you’re working with personal data that has not been obtained through clear consent, either stop processing that data immediately, or try and re-obtain clear consent. This could be as simple as an email asking users if they’d like to remain opted in to your communications.

Towards a better internet

GDPR is setting a new standard for the acquisition and processing of personal data – in effect, bringing EU-style human rights into the online world. While these rights are only technically afforded to EU citizens, there’s no reason not to adopt them outside the EU.

By becoming GDPR compliant, you’re sending a strong signal that you care about you customers’ personal data – and by extension, your customers themselves.

Leave a Reply

Your email address will not be published. Required fields are marked *