What the GDPR means for small businesses

GDPR for small business has resulted in some confusion. Many small businesses assume that the General Data Protection Regulation (GDPR) does not apply to them. If you are a small business owner that believes this to be the case, you could be in for a shock when the GDPR comes into force, on 25 May 2018.

It’s certainly true that Article 30 of the GDPR states that small businesses will not be bound by the new regulation, but this does not always apply. Small business owners certainly need to pay attention to the GDPR, and take a look at what it means for their business, or they could end up facing sanctions they did not expect. These sanctions can include costly fines, which would be bad news for any small business.

What effect could GDPR have on small businesses?

For the purposes of GDPR, a small business would seem to be classified as one with less than 250 employees. Any business with more than 250 employees is required to comply with the GDPR, and is required to enlist the services of a Data Protection Officer (DPO).

Businesses with less than 250 employees are required to comply with the GDPR if their data processing could affect the rights and freedoms of individuals, if they process personal data on a regular basis or if they process data which is covered by Article 9 of the GDPR. If any of these apply to a small business, it needs to ensure that it complies with all aspects of the GDPR.

What does article 9 of the GDPR refer to?

There are certain items of personal data that it’s prohibited to process under GDPR rules, unless a data subject gives express permission to use the data for a specific purpose. These items of personal data include religious and political beliefs and sexual orientation. In some member countries of the EU it may be prohibited to process this type of data, even if the data subject gives consent. Any small business needs to pay attention to this, if it’s involved in processing data of this sort.

Specific issues for small businesses

There are some considerations that are likely to apply more to small businesses than to any other organisation. For instance, many small business owners rely heavily on networking to create important contacts. With this in mind, it’s important to note that small business owners will no longer legally be able to simply add emails taken from business cards to their email contact lists, unless they have specific consent to do so, from the individual who gave them the card. The same applies to using emails for LinkedIn contacts. Anyone who wants to add someone’s details to a contact list needs to have direct consent to do so, it’s not enough to just assume that the giving of a business card implies consent.

Many small businesses do not actually process their own data, due to lack of available resources. It’s important for businesses to remember that the third parties they use are also regarded as data processors, as far as GDPR compliance is concerned. This means that small businesses need to ensure contracts included all of the necessary requirements to ensure compliance with the GDPR.

A lot of small businesses make a lot of use of laptops when accessing and processing data. It’s important to note that it’s not sufficient to use passwords to protect personal data on a laptop, in order to comply with the GDPR. It’s a good idea to also encrypt data, to ensure security.

The global reach of the GDPR

All of these considerations do not just apply to small businesses within the EU. The GDPR applies to the personal data of anyone who lives within the EU. This means that any small business which processes the personal data of EU citizens could be bound by the GDPR, no matter where in the world the business is based. Given that a large amount of trade, even for small businesses, is carried out online, it’s easy to see that the GDPR has a global reach.

What small business owners need to do

So, it’s obvious that the GDPR applies to many small businesses across the world. But, what do small business owners actually need to do, in order to ensure that their business is compliant?

Check the details of the GPDR

The first thing that any small business owner should do is check out the details of the GDPR. They need to have an awareness of what constitutes compliance, in order to consider whether the processes and procedures of the business are such that they meet with GDPR requirements.

Audit that data is stored currently

In order to comply with GDPR, any organisation, including small businesses, needs to know what data is being held, where it’s being held, why it’s being held and who is responsible for managing the data. They also need to check if appropriate consent is in place and whether the data should still be being processed. This last point can be especially important for small businesses as holding less data means it’s a lot easier to manage and there is less likelihood of issues occurring. Not only does it make sense to delete data when the purpose for using it no longer exists, it’s also a stipulation of the GDPR to do so.

Check processes and procedures

We have already mentioned that businesses need to know what data is being held, where and how; as well as who is responsible for managing the data. This is why any small business needs to have processes and procedures in place to enable compliance with these requirements. They also need to fully document these processes and procedures so that they can prove their compliance.

Check consent processes

Once the GDPR is introduced, businesses will need to ensure that they have consent to process personal data, except if there are certain other valid legal reasons for processing the data. Consent needs to be gained for each specific reason for processing and it needs to be explicit. This means that the data subject must be aware of what they are consenting to. They also need to take action to agree. This means that it’s no longer permitted for a business to use pre-checked tick boxes.

Recognise high risk data and processes

Certain items of personal data, such as those covered by article 9 of the GDPR, present a high risk. Small businesses might also recognise that certain aspects of their data processing might also present a high risk. Every business needs to militate against these risks by producing detailed plans and procedures to follow. If it appears that no mitigation is possible, the business should seek permission from the relevant Data Processing Authority (DPA) in order to process the data.

Plan for a data breach

Although small businesses should do everything they can to ensure the security of the data they process, they should also plan for the worst. Under the GDPR, data breaches need to be reported within 72 hours. Every small business needs to ensure that it’s in a position to ensure that this happens.

Consider hiring a data protection expert

Although the GDPR does not stipulate that small businesses should recruit a data protection officer (DPO), it could still be a good idea for businesses to do so. It may also be a requirement if the business is processing sensitive information, as described in Article 9 of the GDPR. If recruiting a DPO is not a possibility, the business may want to consider using a third party expert, or providing suitable training to someone who already works within the business. As we mentioned earlier, in the case of third party experts, it’s important that the business ensures that the provider is also complying with the requirements of the GDPR. The DPO needs to have in depth knowledge of the GDPR, and knowledge of how to develop a data management process.

Train people within the business

If a business is to comply with the GDPR, it’s important that the people who work within it know about the requirements of the GDPR. This is why it’s important for small business owners to ensure that everyone who works for them has an awareness of the GDPR and what their responsibilities are.

It’s easy to see why small businesses may believe that the GDPR does not apply to them. The belief is that it’s intended for larger businesses and companies; high profile names that have had issues with data breaches in the past. But, this is not the case, any small business which processes the personal data of people living within the EU on a regular basis, or is involved with the processing of sensitive data, needs to comply with the GDPR.

This makes sense, as the GDPR is intended to provide the individual with more control over the way their data is handled, as well as to ensure consistency in data processing procedures, so small businesses need to be involved in the same way as their larger counterparts, if the rules for inclusion apply.