News of the General Data Protection Regulation (GDPR) has been floating in our peripherals since it was passed by the European Parliament back in 2016, but as of May 25, 2018, the privacy-focused piece of legislation will finally go into effect. And, though it’s specifically designed for those in the EU, American business owners are not exempt from impact.
As an American business owner with your own set of privacy rules and regulations to contend with, the GDPR may not seem like much of a concern. However, since the regulations impact all organizations that process or hold EU customer data, any American business that falls into that category (i.e., businesses that have a web presence and/or sells their products to citizens within the EU) will need to comply.
You’ll note that “web presence” was included, not just the notion of selling products or services. That’s specifically because of stipulations that focus on the collection of personal data, not just monetary transactions
So, any organization that collects identifiable information (PII), which includes social security numbers, phone number, salary, race, marital status, military rank or civilian grade, age, medical records etc., from EU citizens will need to be in compliance.
Top GDPR Takeaways for Small Businesses
You know what the GDPR is, generally, but what specific things will be required of businesses? Here are a few of the most significant regulations and considerations that you’ll need to take into account if you want to be in compliance.
- Seventy-two-hour breach notification: Just like it sounds, any organization or company that detects a customer data breach must notify the national authorities within seventy-two hours of that breach, and in some cases, customer notification must also take place.
- Consent for data is a must: Companies and organization must obtain explicit and informed consent when collecting and/or processing data from individuals, even if it’s something as simple as an email list.
Explicit consent should be used if an organization wants to validate the sensitive data for use. Additionally, the consent must be achieved with a clear affirmative action, which means that that companies can no longer use “opt-out” or pre-checked boxes to achieve that consent.
Further, consent requests must be separate from terms and conditions; cannot, in most cases, be a contingency for signing up; must be granular or designed in such a way that consent is specific to each type of processing; and named, meaning the individual must be made aware of what organizations or third-parties rely on that consent.
Finally, organizations must document the aforementioned consent, including the specific consent requested/provided and when that consent took place, individuals must have the right to withdraw their consent at any time, and organizations must provide information about how an individual can withdraw their consent as well as an easy path to do so.
- The right to be forgotten: organizations and businesses must comply with a request by an individual to “be forgotten” or to have a copy of their data. Though simplistic in theory, the right to be forgotten will require that all organizations be able to delete not only primary data but also any data duplications, be they due to operational processes (i.e., cloud storage backup) or unspecified employee lead duplication. This will require universal conversations and policies among all departments and employees who can access, copy or otherwise maintain customer data.
- Any data processed for a child under sixteen is considered unlawful if there is no prior parental consent; however, states within the EU can opt to reduce that age, with 13 years of age representing the cutoff.
The aforementioned are just a few of the more specific requirements that business owners must meet if they want to become compliant with the GDPR. Some of these requirements may take a few weeks (or months) to plan and execute, and so, as mentioned above, it’s best to start as soon as possible, if you haven’t already.
To get started, or make sure your efforts are aligned with expectations, considering the following steps.
- Analyze your current data processes; this includes how you obtain data as well as how you process and maintain that data. If you don’t have one already, you should have a Personal Information Assessment (PIA), and in some cases you may need a Data Protection Impact Assessment.
- Work with your legal department to fully understand and address the GDPR requirements (like the DPIA; however, efforts should extend past legal departments or consultants and include contact with multiple departments, including IT, Marketing, and Finance, as many are directly involved or involved.
- Create a plan, not only for immediate compliance, but for long-term data procurement, management, and processing. The end result should be a data privacy and security plan that can act as guidance for the future operations as well as documentation for compliance.
Companies that don’t comply (or document that compliance) with the GDPR face substantial fines of up to four percent of global revenues. And while that amount can be damaging to any organization, small businesses that depend on every cent may suffer the most from non-compliance. During the next little while, your time will be especially precious as you work to ensure your business is compliant. The average business owner spends 33 hours applying for credit, you can save that time by checking with Nav.
If you’re not currently compliant and the May 25th date is giving you anxiety, take a deep breath. Garnter, Inc. suggests that by the end of 2018, more than fifty percent of American businesses will be non-compliant.
Of course, that doesn’t mean that herd mentality will protect you from non-compliance in the event of a data breach – we all know how frequent they are these days. For that reason, it’s important to address the issue immediately and take the steps required to meet GDPA requirements
This article was originally written on May 23, 2018 and updated on February 1, 2021.