What the GDPR means for small businesses
Estimating the impact that the General Data Protection Regulation (GDPR) will have on small businesses is a source of concern for some. Many small businesses assume that the GDPR does not apply to them. If you are a small business owner that believes this to be the case, you could be in for a shock when the GDPR comes into force on May 25, 2018.
While it is stated in Article 30 of the GDPR that most small businesses i.e those with fewer than 250 employees, will not be bound by the new regulation, some exceptions apply. Small business owners need to pay attention to the GDPR, and take a look at what it means for their business, or they could end up facing sanctions they did not expect. These sanctions can include hefty fines, which would be bad news for a business of any size.
What effect could the GDPR have on small businesses?
For the purposes of the GDPR, a small business is classified as one with fewer than 250 employees. Any business with more than 250 employees is required to comply with the GDPR and is required to nominate a Data Protection Officer (DPO).
Businesses with fewer than 250 employees are required to comply with the GDPR if their data processing could affect the rights and freedoms of individuals, if they process personal data on a regular basis, or if they process data which is covered by Article 9 of the GDPR, which includes sensitive data such as that relating to religious beliefs. If any of these apply to a small business, it needs to ensure that it complies with all aspects of the GDPR.
What does article 9 of the GDPR refer to?
There are certain items of personal data that are prohibited to process under GDPR rules, unless a data subject gives express permission to use the data for a specific purpose. These items of personal data include political beliefs and sexual orientation. In some EU Member States, it may be prohibited to process this type of data even if the data subject gives consent. Any small business needs to pay attention to this if it is involved in processing data of this sort.
Specific issues for small businesses
There are some considerations that are likely to apply more to small businesses than to larger organisations. For instance, many small business owners rely heavily on networking to create important contacts. With this in mind, it is important to note that small business owners will no longer legally be able to simply add emails taken from business cards to their email contact lists unless they have specific consent to do so from the individual who gave them the card.
The same applies to using emails for LinkedIn contacts. Anyone who wants to add someone’s details to a contact list needs to have direct consent to do so; it is not enough to just assume that the giving of a business card implies consent.
Many small businesses do not actually process their own data due to a lack of available resources. It is important for businesses to remember that the third parties they use are regarded as data processors as far as GDPR compliance is concerned, and that the data controller is responsible for the conduct of their processors. This means that small businesses need to ensure contracts include all of the necessary requirements to ensure compliance with the GDPR.
Many small businesses make use of laptops when accessing and processing data. It is important to note that passwords are not considered to be a sufficient measure to protect personal data on a laptop in order to comply with the GDPR. It is a good idea to also encrypt data in order to have greater confidence in the security of the data.
The global reach of the GDPR
Given that a large amount of trade, even for small businesses, is carried out online, it’s easy to see that the GDPR has a global reach. All of the GDPR considerations do not just apply to small businesses within the EU, they also apply to the personal data of anyone who is located within the EU.
This means that any small business which processes the personal data of people within the EU is subject to the GDPR, no matter where in the world the business is based.
It is important to note that the GDPR applies to people within the EU, but not necessarily to EU citizens. A Danish person in South Africa is not covered by the GDPR, whereas a South African in Denmark would be. It is the location of the person that is important, not their nationality or citizenship.
What small business owners need to do
It is clear that the GDPR applies to many small businesses across the world. But what do small business owners actually need to do in order to ensure that their business is compliant?
Check the details of the GPDR
The first thing that any small business owner should do is check out the details of the GDPR. They need to have an awareness of what constitutes compliance, in order to consider whether the processes and procedures of the business are such that they meet with GDPR requirements.
Audit that data is stored currently
In order to comply with the GDPR, any organisation, including small businesses, needs to know what data is being held, where it is being held, why it is being held, and who is responsible for managing it.
They also need to check if appropriate consent has been obtained and whether the data should can still be legally processed or whether it should be deleted as the consent has expired. This last point can be especially important for small businesses as holding less data means it can be a lot easier to manage and there is less likelihood of issues occurring. Not only does it make sense to delete data when the purpose for using it no longer exists, it is also a stipulation of the GDPR to do so.
Check processes and procedures
We have already mentioned that businesses need to know what data is being held, where, and how, as well as who is responsible for managing it. This is why any business, big or small, needs to have processes and procedures in place to enable compliance with these requirements. They also need to fully document these processes and procedures so that they can prove they are acting in compliance.
Check consent processes
Once the GDPR is introduced, businesses will need to ensure that they have consent to process personal data, except if there are certain other valid legal reasons for them to process the data.
Consent needs to be gained for each specific reason for processing and it needs to be explicit. This means that the data subject must be aware of what they are consenting to. They also need to take an unambiguous affirmative action to agree.
This means that it’s no longer permitted for a business to use pre-checked tick boxes or silence on a telephone line to obtain consent. All consent gathered in such a fashion is not longer valid and must be reacquired.
Recognise high risk data and processes
Certain items of personal data, such as those covered by article 9 of the GDPR, present a high risk. Small businesses might also recognize that certain aspects of their data processing might also present a high risk. Every business needs to mitigate against these risks by producing detailed plans and procedures to follow. If it appears that no mitigation is possible, the business should seek advice from the relevant Data Processing Authority (DPA) before any processing of the data can be attempted.
Plan for a data breach
Although small businesses should do everything they can to ensure the security of the data they process, they should also create contingency plans should the worst occur. Under the GDPR, data breaches need to be reported within 72 hours of discovery. Every small business needs to ensure that it has the necessary processes, including who to contact and how, prepared and drilled to ensure that reports are made as quickly as possible.
Consider hiring a data protection expert
Although the GDPR does not stipulate that small businesses should recruit a data protection officer (DPO), it may still be a good idea for a company to do so. It may also be a requirement if the business is processing sensitive information, as described in Article 9 of the GDPR.
If recruiting a DPO is not possible, the business may want to consider using a third party expert or providing suitable training to someone who already works within the business.
As we mentioned earlier, in the case of third party experts, it is important that the business ensures that the provider is also complying with the requirements of the GDPR. The DPO needs to have in-depth knowledge of the GDPR and knowledge of how to develop a data management process.
Train people within the business
If a business is to comply with the GDPR, it is important that the people who work within it know about the requirements of the GDPR. This is why it is important for small business owners to ensure that everyone who works for them is aware of the GDPR and their responsibilities under it.
It is easy to see why small businesses may believe that the GDPR does not apply to them. There is a belief is that it is intended for larger businesses and companies, or high profile names that have had issues with data breaches in the past. But this is not the case; any small business which processes the personal data of people living within the EU on a regular basis or is involved with the processing of sensitive data needs to comply with the GDPR.
This makes sense, as the GDPR is intended to provide the individual with more control over the way their data is handled, as well as to ensure consistency in data processing procedures, so small businesses need to be involved in the same way as their larger counterparts if the rules for equality of data treatment and respect of rights and freedoms are to apply.