If you’ve been watching the news over the last month or so, you’ll likely have heard the acronym “GDPR”. What you might not have heard is that if you are a small business owner, GDPR could affect your business.
What is GDPR?
GDPR stands for “General Data Protection Regulation”, and the regulation was passed by the European Union in April 2016, replacing an outdated data protection directive from 1995. The GDPR was effective as of May 25 of this year.
The GDPR requires businesses to protect EU citizens’ personal data and privacy for transactions that occur within EU member states. The GDPR also regulates exporting personal data. The provisions are consistent across all 28 EU member states and apply to any business doing business with EU customers or gathering data from EU residents.
Even businesses that do business primarily in the United States can find themselves subject to the GDPR. In today’s global economy, customers can come from anywhere across the globe. And that means, if you’re doing business with or gathering data from EU customers, the GDPR could affect your business.
What kind of data is regulated under the GDPR? The GDPR takes a broader view of what classifies as personal identification information than has been the case under previous data protection regulations.
The GDPR protects the following data:
- Basic identity information (name, address, ID numbers)
- Web data, including location, IP address, cookie data and RFID tagsHealth/genetic data
- Biometric data
- Racial/ethnic data
- Political opinions
- Sexual orientation
The GDPR requires companies to change how they process, store and protect customers’ personal data as part of their data management strategy. Data storage and processing are only allowed when the individual consents and for no longer than is necessary for the specific purpose(s) that personal data is processed. In addition, personal data must be portable between companies, and if a customer requests it, companies must erase their personal data.
Any data breach must be reported to supervisory authorities and individuals affected within 72 hours of when the breach is detected. Performing impact assessments is another requirement to help mitigate the risk of breaches by identifying vulnerabilities and identifying ways to address them.
Will the GDPR Affect My Small Business?
The criteria for companies that are required to comply with the GDPR are:
- Presence in an EU country, including having a website that is geared toward an EU country (for example, having a website that is available in French, German or any other EU language)
- No EU presence, but processes personal data of European residents (for example, an American company that has European customers)
- European companies with 250+ employees
- European companies with less than 250 employees but its data processing impacts the rights and freedoms of data subjects, is not occasional or includes certain types of sensitive personal data
At Tolar Systems, we believe that even if your US-based small business doesn’t need to comply with GDPR, you should look at the GDPR as a best practice for handling potentially sensitive or identifying personal data for your clients or customers. We predict it will eventually become the standard here in the US for handling personal data provided over the web.
It’s important to note that compliance with the GDPR means being explicit with your clients and customers about getting permission to gather and store personal information, explaining how it will be used, and how long your company will store that data.
What If I’m Not GDPR Compliant?
Non-compliance of the GDPR comes at a steep price—up to €20 million or 4 percent of global annual turnover, whichever is higher. The general consensus is that about half of U.S. companies will not be compliant on all requirements. For the time being, you can protect your small business from the harsh penalties by being able to demonstrate a good-faith effort to comply.
If your small business is not GDPR compliant yet, but should be, here are the first three things to do:
- Conduct a risk assessment—Know what data your small business stores and processes on EU citizens and understand the risks around it. Risk assessment must also outline measures to mitigate that risk. Get a full picture of your small business’ entire IT infrastructure and inventory all applications.
- Hire or appoint a data protection officer (DPO)—The GDPR does not specify if a DPO should be a separate position, so your small business should be able to name someone with a similar role as DPO as long as they can ensure the protection of personally identifiable information without a conflict of interest. If not, then you should consider outsourcing your DPO—Tolar Systems can help.
- Create a data protection plan—Review and update your current data protection plan so that it aligns with GDPR requirements, and don’t forget about ensuring that apps installed on mobile devices that gather personally identifiable information do so in a GDPR-compliant manner.
If all this seems challenging, we can help your business develop a strategy to ensure GDPR compliance. Contact Tolar Systems today to learn more about how GDPR affects your business and its consumer data.