What GDPR Means for Small Businesses
Since 25th May 2018, businesses that collect, process, or store data relating to EU citizens are subject to the General Data Protection Regulation (GDPR) regardless of their size or location. Although exemptions exist for small businesses with fewer than 250 employees, the exemptions only apply to certain areas of GDPR (i.e. collecting data for personal use), and the likelihood is that most small businesses maintaining a database of customers, employees, and/or business contacts will be required to comply with GDPR.
So, what does GDPR mean for small businesses? Practically the same as it does for large enterprises and organizations. If your business collects, processes or stores Personally Identifiable Information (PII) that can be used to identify specific individuals, the business is subject to the rules of GDPR – even if the data is manually maintained on a paper spreadsheet kept in a filing cabinet. Due to the substantial penalties for breaches of GDPR, the safest option is to assume GDPR compliance applies in all circumstances.
What is the Objective of GDPR?
To gain a better understanding of what GDPR means for small businesses, a good place to start is to understand the objectives of the Regulation. GDPR is an enforceable Regulation designed to protect the privacy of EU citizens and give them more control over what data is collected, how it is used, and the length of time it is kept. Some of the ways in which GDPR achieves its objective include:
- Stipulating your business can only collect personal data if there is a legal reason to do so.
- Stipulating when personal data is collected, you must make it clear what it will be used for.
- Stipulating data subjects must give their unambiguous consent for you to use their data.
- Stipulating data subjects have the right to withdraw their consent and request data is deleted.
- Stipulating data subjects can request a digital copy of their PII to give to another business.
- Stipulating where and how data must be stored in order to prevent unauthorized access.
- Stipulating data breaches must be reported to the appropriate authority within 72 hours.
Keeping data secure is the biggest headache for many businesses. There are many different types of internal and external threats to data security – and not just from malicious actors. Genuine mistakes such as failing to encrypt a cloud storage bucket can lead to data being accessed without authorization; and, once a data breach has occurred, there is no telling how the stolen data will be used.
The Penalties for Non-Compliance with GDPR
A lot has been written about how non-compliance with GDPR could cost businesses up to €20 million or 4% of their global turnover, but these extreme figures will only be applied in extreme circumstances. Although EU authorities will be able to impose fines on a discretionary basis, most have said they will use other “corrective powers and sanctions” to encourage businesses to enhance GDPR compliance.
Other “corrective powers and sanctions” include issuing a warning, imposing a ban on data processing, ordering the rectification or deletion of data, and suspending data transfers to non-EU countries. Stiffer penalties will be imposed for failing to comply with data collection rules for children, processing or sharing data without obtaining consent, and for maintaining data longer than its legal purpose.
What is important to note is that there does not have to be a data breach in order for a business to be non-compliant with GDPR. Any non-compliant action or lack of action can result in a penalty. For this reason, small businesses need to be aware of the GDPR requirements – with extra attention being paid to “special category data” covered in Article 9 of GDPR.
What Special Category Data is Covered in Article 9?
Special category data is personal data which GDPR says is more sensitive and could put an individual at risk of unlawful discrimination if used improperly or disclosed without authorization. Consequently, when collecting special category data, businesses need to be specific about why the data is being collected and what it is being used for. It also needs more protection. Special category data covered in Article 9 of GDPR includes any PII relating to:
- ethnic origin
- trade union membership
- biometrics (where used for ID purposes)
- sex life
- sexual orientation
Data relating to criminal offenses is subject to the same controls as special category data, but businesses can only keep a “comprehensive register of criminal convictions” if they do so in an official capacity. This makes it difficult to find out if prospective employees have a past criminal history, and if a prospective employee declines their consent for you to conduct a criminal screening check, you are not allowed their decision to prejudice their employment prospects.
How to Comply with GDPR for Small Businesses
Once you have an understanding of GDPR, you should conduct an audit of what data you collect from EU subjects, how it is processed, and how it is stored (and where it is stored if it is transferred outside the EU). You also need to consider how consent is obtained to collect and process the data, and what measures need to be put in place so EU citizens can request access to their data to correct it, prevents elements of it being processed, or request its deletion.
The next step for small businesses is to conduct a data security risk assessment. This should reveal any vulnerabilities and weaknesses in your physical, technical, and administrative processes that need to be patched to avoid a data breach. Once policies have been created to fill the gaps in your data security, every employee in your business needs to be made aware of the policies and the importance of operating within GDPR.
Finally, you also need to check every business with whom you share PII is also GDPR compliant. If you collect the data of an EU subject, and the data is disclosed without authorization by a partner business, you may still be liable for the data breach. Although the breach may be no fault of your own, EU authorities will consider that you failed to conduct appropriately stringent due diligence on the businesses you are sharing data with.
Conclusion: GDPR Compliance is Important for Small Businesses
GDPR compliance is as important for small businesses as it is for large multi-national corporations. Consequently, many businesses have chosen to appoint a Data Protection Officer (DPO) to attend to the GDPR requirements, or appoint a consultancy company to get their GDPR preparations up to scratch before delegating the role to an existing employee. For further information about this option, please refer to our article “Do Small Businesses Need to Appoint a DPO under GDPR?”
Enforcement actions have already started against non-compliant businesses – even when a data breach has not occurred. In one of the first reported enforcement actions, a small hospital group in Portugal was fined €400,000 for not having adequate access controls, while a subsequent action was taken against a Canadian marketing company who targeted social media users and processed their PII without having a legal basis to do so, or the users´ consent.
A lack of knowledge is not an adequate excuse for failing to be GDPR compliant. Every business from a sole trader to a multi-national corporation needs to look at how they collect, process, share, and store data in order to make sure the processes and policies are in place to protect the integrity of data. There also has to be measures in place to facilitate data access requests and procedures in place to identify and report a data breach should one occur.