SCORE

Do you remember where you were on May 25, 2018? No? That was the day that the General Data Protection Regulation (GDPR) went into effect. It was a regular business day, and the sky did not fall, like many predicted it might. Indeed, work continued as usual, and all businesses cruised into the post-GDPR era. Some were prepared, others not, and many were, and still are, vastly unaware of what GDPR is or how to comply.

If you have prospects or customers in the European Union (EU), you need to familiarize yourself with GDPR.

Think about whether or not you want to risk non-compliance with GDPR and/or develop a plan for adaptation. To help you in deciding your approach going forward, consider the following:

  1. GDPR applies to all organizations (even if you are a sole proprietor), large, medium, and small, regardless of sector or industry. If you have any business or marketing in the EU, you are required by law to come into compliance.
  2. If you don’t have customers in the EU, but you process information for a company that does, the GDPR still applies to you.
  3. The regulation is not intended to torment businesses. In fact, the law is supposed to give citizens and residents more control of their personal data, and simplify regulations for international businesses with a single standard across the EU. Right now, it just feels overwhelming for many of us who have not historically been asked to operate in this specific way.

Steps to Becoming Compliant

Becoming GDPR compliant doesn’t have to be a daunting task. But if you are a small business, it can take up a good amount of time. My advice is to create a plan to becoming compliant, and work at it over time. Here’s what you should include:

1. What data do you collect?

You need to understand that personal data under GDPR means name, address, email address, bank or credit card details, photos, and even IP addresses. If you collect information on visitors to your website that points directly back to a specific user (e.g., health information, religious views, union membership, or even marital status for insurance-related purposes,) it is deemed sensitive data. Sensitive data requires different and more significant management than just personal data.

2. Do you have a valid reason or consent to collect that data?

GDPR doesn’t prevent you from collecting or holding onto personal data. It requires you to have a legitimate reason for doing so or that you gain consent from the user before you collect it. Legitimate reason can be maintaining a contractual relationship or creating the ability to service or market related products to the customer in the future. If you can’t make that link, then look to obtain consent from the user for very specific purposes, and document that consent.

3. What are your security measures or policies?

Even as a small business, you need to think about your prospect and customer data. How you will protect it? Will you be able to notify individuals and authorities within 72 hours if their data is breached?

4. How will you give prospects/customers access to their data?

GDPR specifically says that the user owns the data that is about them. Think whether you can give users access to their information within a one-month timeframe? Users have the right to access their data, correct if it is wrong, and have you delete it if they no longer want you to hold it. In some cases, you might be entitled to an extension on the one-month clock. An extension is only up to 90 days and must fall under a special and justified circumstance.

5. Do you need to have a DPO?

A DPO is a Data Protection Officer. Most small businesses don’t need one, but the GDPR requires you to have one if your core activities require regular and systematic monitoring of individuals at a large scale; your core activities consist of processing special data, or information on criminal convictions. If you are a very small business and don’t process large amounts of data, then you do not need to have a DPO.

6. What do your notices say?

Take a look back over your privacy policy and terms of use for your digital products and services (including your website.) Hopefully, you already have these in place; if not, this is the time to get those in order. With GDPR, you will want to amend the notices to explain in plain language how user information is collected, managed and used.

7. What are your partners doing?

In order to become GDPR compliant, you need to make sure that your partners are GDPR compliant as well. For small businesses, this can be a time investment. If you use software or services based in the cloud, chances are they have already taken a stand on GDPR and may have even amended your agreement to reflect the supplying organization’s compliance.  First, reach out to check on this, and if your partners are not, then consider writing a new agreement including a request for GDPR compliance.

8. Where do you store or process data?

For a small company doing business with those in the EU, the biggest issue comes up around the transfer of data into the US. Unfortunately, the EU doesn’t consider the US to have adequate security controls to protect an individual user’s online rights. The good news is that if you are a small business, you likely use services in the cloud, and many of them have become GDPR compliant. For those that haven’t, it might make sense to move your hosting or storage into an EU-based cloud solution. Otherwise you will need to take steps to ensure that EU user data is encrypted, transferred and stored to a higher degree of security and that you have validated that level of compliance.

Skip to the good part of GDPR!

GDPR can certainly appear daunting and scary to a small business (me included!). With the new data protection rules in place, your business could face fines of up to 2% of your annual revenue or €10 million (roughly $11.6 million,) whichever is higher.  For personal data breaches, that rises to 4% of revenue or €20 million ($23 million.) But there is also a competitive advantage in adapting to GDPR!

While it’s easy for all of us to see GDPR as a burden, it’s something that can be used to your advantage, adding value to your business. When you provide prospects/customers with a GDPR compliant business, you build trust. And in reality, no one likes having their data lost, stolen, damaged, misused or shared without proper consent. Knowing that you are GDPR compliant, means you respect and protect your clients’ data and demonstrate a higher value to your clients.  This will be appreciated and pay off now, as well as down the road.

About the Author(s)

Kristina Podnar

Kristina Podnar is a consultant with nearly 20 years of experience working with organizations of various sizes. She has a history of successfully deploying complex digital transformation projects, working with small businesses to find solutions for small businesses with regulatory governance challenges.

Consultant, NativeTrust Consulting, LLC
GDPR