Do you own a small business that collects, stores, or uses consumer’s personal data? If you do business in the EU, you must adhere to the GDPR rules regarding customer information.
So, how does the GDPR affect small businesses? Are you prepared to follow the GDRP rules? Keep reading to learn what you need to do for your small business.
What Is GDPR?
The European Union (EU) General Data Protection Regulation (GDPR) went into effect on May 25, 2018. The purpose of this regulation is to increase data protection rights for individuals. It improves business opportunities by enabling the safe transfer of personal data within the digital market.
The European Commission says these rules will guarantee “the fundamental right to personal data protection” for all citizens. This serves to increase customer trust in online services. Business owners will also gain confidence they are following clear and uniform legal rules.
The GDPR encompasses a broad territorial reach. Its scope includes companies working in the EU. It applies to business selling products or services from outside the EU to EU citizens.
This rule also applies to all organizations that track the “behavior” of EU citizens.
What Is Personal Data?
Businesses must understand the definition of personal data under the GDPR. Personal data describes all information that can directly or indirectly identify a living natural person.
The most obvious identifiers are the name and social security, identification, driver’s license, or passport numbers. Addresses including mailing, email, and IP that can locate an individual. Other personal numbers include telephone, credit card, account data, and license plate.
Some information is less clear. For example, identifiers describe physical, physiological, genetic, mental, commercial, cultural, or social characteristics. The European Court of Justice further considers recording work time and breaks as personal data.
Employee candidate answers on tests and remarks made by the examiners also represent protected personal information if the candidate is identifiable.
Subjective data may apply as well. This includes opinions, judgments, or estimates related to a natural person. Examples include an employer’s estimate of a worker’s performance or whether a person’s credit is adequate.
When evaluating the data you collect, don’t forget health data, biometrics, and racial and ethnic information. A person’s political opinions, religious or ideologic beliefs, and trade union membership must receive protection as well.
What Is a Data Controller and Data Processor?
The role of data controllers and data processors are key to handling personal data. The GDRP defines these roles. Your company may need both roles or serve only one.
For example, if you sell online, you have your customer’s log in that collects personal data. Most companies have a system that manages the sales. You may use an external company to handle these 2 processes.
In this case, you become the data controller because you decide what information to collect and why. The company/companies you hire are then the data processors. Data processors acting on behalf of the data controller.
If you store any customer data, you are a data processor. Thus, you must prove compliance with the GDPR rules for processing personal data. You must show that the business:
- Processes personal data lawfully, fairly, and with transparency
- Only collects data for the stated purpose
- Only collects the least amount of data necessary
- Ensures information is accurate and up to date
- Does not keep data in an identifiable form longer than necessary
- Always ensures security during the processing of data
The data controller’s responsibility is to ensure the data processor follows all these rules. The data processor must also provide evidence that they adhere to the standards. Both the data controller and data processor are liable if a breach occurs.
How Does the GDPR Affect Small Businesses?
If you are a small business, are you compelled to follow the GDPR standards? All businesses that process personal data that can identify a specific living natural person are subject to the GDPR rules. This applies even if the information is in a structured paper format.
Failure to meet the GDPR standards can result in fines up to €20 million or 4% of your annual income, whichever is greater. Thus, the safest approach is to assume the rules apply to you.
If your business does not sell products or services or track EU citizens’ behavior in the EU you may be exempt. However, on January 1, 2020, The California Consumer Privacy Act (CCPA) goes into effect. This means that if you do business in California, very similar rules will apply.
Experts believe the CCPA is the start of legislation that will spread in the United States. Bringing your business into compliance allows you to be ahead of the game.
Start today by detailing all personal data your company or a third-party company collects. Document the location of every piece of data and how it’s used. If you sell personal data, make an accounting of that information.
Identify the data controllers and data processors. Create documents describing the expectations of each role. Also, develop a plan for ensuring compliance with your policies.
If a customer asks you to remove all their data, are you ready to meet that request? Can you locate all the pertinent data and erase it? You will need to understand when you should not erase data.
Develop a quality assurance plan to ensure your company continuously meets all criteria. If a third-party company is unable to prove compliance, you are at risk. You may wish to make new business arrangements.
What Is SAR?
Your employees have rights related to the personal information kept by the company. They have the right to make a “subject access request” (SAR). This applies to current and former employees.
It can include personnel files, internal memorandums, meeting notes, and email correspondence. Failure to meet this request can result in fines, enforcement action, and damage to your reputation. You must provide the following information:
- Personal data collected and used
- The reason for personal data collection and use
- All individuals who have access to that personal data
- How and why automated decisions related to the individual personal data are processed
According to the GDPR, businesses may charge a “reasonable” fee to complete a SAR if the request is deemed unfounded or excessive. All requests must be met within 30 days.
Failure to provide this information can result in a maximum fine of 4% of global turnover or 20 million euros, whichever is higher. The individual also has the right to pursue a court claim.
Many businesses offer products and services to assist with GDPR and SAR compliance. They provide knowledge and experience to ease the process of making your business GDPR compliant.
Do You Have a Tech Industry Business?
Technology has become part of most people’s lives. This creates great business opportunities. The concern for consumer privacy has also increased tech companies’ workload.
This article focused on, “how does the GDPR affect small businesses?” Our site offers information about all types of technology. We discuss hardware and software products. You can find information about future technology and gaming products.
We also provide opinions, best practices, and a buyer’s guide. Continue checking out our site today to learn more.