What GDPR Means for Small Businesses
Since 25th May 2018, businesses that process personal data relating to data subjects in the European Union (EU) are subject to the General Data Protection Regulation (GDPR) regardless of their size or location. The likelihood is that most small businessesmaintaining a database of customers, employees, and/or business contacts will be required to comply with GDPR. Processing personal data means essentially any operation that is performed on personal data, (storing, sharing, deleting, collecting, modifying are some examples of data processing).
So, what does GDPR mean for small businesses? Practically the same as it does for large enterprises and organizations. If your business processes Personal Data or Personally Identifiable Information (PII) in the US, which is data that can be used to identify specific individuals, the business is subject to the rules of GDPR – even where the data is manually maintained on a structured paper based format.. Due to the substantial potential penalties for breaches of GDPR, the safest option is to assume GDPR compliance will apply unless your business is not based in the EU and does not sell or plan to sell to data subjects in the EU.
A “Controller” under GDPR is the organisation or business which determines the purposes of the processing of personal data where a “processor” carries out the processing of the personal data on behalf of the “Controller”. A “processor” can further engage “sub-processors” and the “Controller” would have visibility and approval rights over these “sub-processors”.
The GDPR does not refer to data subjects or clients the language that is used most consistently throughout the GDPR is “natural person” or “data subject” and. ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’). For the purpose of this article data subjects or end clients or customers will be referred to as “data subjects”
‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
Article 4 of GDPR contains a full list of definitions.
What is the Objective of GDPR?
To gain a better understanding of what GDPR means for small businesses, a good place to start is to understand the objectives of the Regulation. GDPR is an enforceable Regulation designed to protect the privacy of EU data subjects and give them more control over the processing of their personal data, regarding what personal data is collected, how it is used, who it is shared with, and the length of time it is kept. The GDPR gives data subjects more extensive rights and places greater obligations on businesses or organisations who process the personal data of data subjects. Some of the ways in which GDPR achieves its objective include:
- Stipulating that a business can only collect personal data if there is a legal reason “legal basis” to do so.
- Stipulating that where consent is the legal basis data subjects must give their freely given, specific, informed and unambiguous consent for their personal data to be processed. Data subjects must be able to withdraw consent as easily as it was given.
- Stipulating that data subjects have the right to request that their personal data is deleted. The deletion of their personal data is not an absolute right where the business has a legal obligation to retain the data, they would do so minimising it where possible.
- Stipulating data subjects can request a digital copy of their personal data to give to another business in a machine-readable format, this is one of the many data rights of the data subject or individual. The full data subject rights of data subjects are covered in articles 12-22 of GDPR.
- Stipulating that organisations must implement appropriate Technical and Organisational measures to keep personal data safe and secure.
- Stipulating data breaches must be reported to the appropriate authority within 72 hours where there is a risk to the rights and freedoms of data subjects.
- Stipulating that the principles of the GDPR must be applied to the processing of personal data and that the business must be accountable and keep records to demonstrate compliance.
- Stipulating that the business or organisation must have privacy by default and by design as a core principle.
Keeping data secure may be the biggest headache for many businesses. There are many different types of internal and external threats to data security – and not just from malicious actors. Genuine mistakes such as sending an email to the wrong person, failing to encrypt a cloud storage bucket or leaving an unencrypted USB key by accident on a bus can lead to data being accessed without authorization; and, once a data breach has occurred, there is no knowing how the data will be used.
The Penalties for Non-Compliance with GDPR
A lot has been written about how non-compliance with GDPR could cost businesses up to €20 million or 4% of their global turnover, but these high figures will only be applied in extreme circumstances. Although EU authorities will be able to impose fines on a discretionary basis, most have said they will use other “corrective powers and sanctions” to encourage businesses to enhance GDPR compliance.
Other “corrective powers and sanctions” include issuing a warning, imposing a ban on data processing, ordering the rectification or deletion of data, and suspending data transfers to non-EU countries. Stiffer penalties will be imposed for failing to comply with data collection rules for children, processing or sharing data without obtaining consent, and for maintaining data longer than its legal purpose.
What is important to note is that there does not have to be a data breach for a business to be non-compliant with GDPR. Any non-compliant action or lack of action can result in a penalty. For this reason, small businesses need to be aware of the GDPR requirements – with extra attention being paid to “special category data” covered in Article 9 of GDPR.
What Special Category Data is Covered in Article 9?
Special category data is personal data which GDPR says is more sensitive and could put an individual at risk of unlawful discrimination if used improperly or disclosed without authorization. Consequently, when processing this special category data, businesses may need a separate legal basis for example where consent is the legal basis explicit consent must be given by the data subject. Explicit consent may be for example a signed form, a higher standard of consent. Special category data covered in Article 9 of GDPR includes any Personal Data relating to:
- ethnic origin
- political affiliation
- trade union membership
- biometrics (where used for ID purposes)
- sexual orientation
Data relating to criminal offenses is subject to the same controls as special category data, businesses can only keep a “comprehensive register of criminal convictions” if they have legitimate grounds and GDPR compliant protections in place. In some cases, background checks on criminal offenses may be mandatory for example vetting for adults working with children.
How to Comply with GDPR for Small Businesses
The following considerations may provide an indication of the most important tasks that will be needed for US businesses to be GDPR compliant:
Audit your data
Auditing the data your business holds will not be a trivial task, but it will enable you to make many informed decisions on how to comply with the GDPR.
Key questions to answer include locating where your data is stored; why certain kinds of personal data are being processed; what is the legal basis for processing; how long it is retained; who has access currently to personal data and who should have access moving forward; are the appropriate technical and organisational controls in place and how much duplication of customer personal data exists across multiple sites.
All these areas need to be addressed before you can decide on the best course of action for your business. This first step in creating a holistic view of where all the different types of your customer data is residing is a critical one. If you don’t know what personal data, you hold you can’t make any plan around that data.
DPIA’s or Data Protection Impact Assessments may need to be carried out by businesses before new processing starts to ensure data protection by default and by design is in place, a key GDPR concept and examine any risks to data subjects around any new data processing. Most European Data commissioners give guidance on their websites around DPIA’s and when they should be carried out.
Audit your service providers
The task of auditing your service provider’s compliance is where a lot of US businesses may fall flat and may be where the most significant risk resides in your business. You will need to review your agreements with third-party service providers who process personal data on your behalf and sign data processing agreements. The data controller is obliged to sign contracts under GDPR, and the data processor can only act on the Controllers instructions.
If one of your data service providers is not able to prove that they are on the right side of GDPR compliance for US businesses, then the work they do related to the personal data of your data subjects in the EU could be deemed non-compliant and put the controller at risk.
The right to be forgotten and other Data Subject Rights
The GDPR introduces two additional rights for people in the EU that are covered by the regulation; the right to be forgotten(erasure) and the right to portability of their data. The rights of data subjects are extensive under GDPR governed by Articles 15-22 of GDPR, Those rights also include, the right to access to receive a copy of their personal data, the right to rectification and restriction of processing and the right to object to processing including to automated processing and profiling.
These rights may lead to a significant increase in requests from data subjects in the European Union and businesses and organisations must ensure they are set up and staffed correctly to deal with them.
Controllers and Processors
You will need to understand whether you fall into the category of a data processor or a data controller under the new GDPR guidelines. A data processor is a business that processes personal data on behalf of a controller. A data controller is a business that determines the purposes and means of how customer data is to be processed. Both Controllers and Processors have different implications concerning how they comply with the GDPR for US businesses, and your business could be both a data controller and data processor at the same time.
To complicate matters even further, a data controller can have multiple data processors and the processor in turn multiple sub-processors. Under the new Regulation, the data controller is liable for the actions of the data processors that they work with in the market. It is essential that US businesses carefully select their data processors where the data of data subjects in the EU is being processed and sign data processing agreements with them, A data processing agreement should govern the relationship between a controller and a processor and in turn the processors sub-processors. The agreement should include all aspects of data protection governance and article 28 and 82 of the GDPR detail what these agreements or contracts should cover.
GDPR Penalties and Fines
The new enforcement procedures and fines associated with GDPR compliance are perhaps the aspects which have most US corporate leaders sitting up and paying close attention.
The hefty penalties associated with non-compliance of GDPR could potentially reach into millions of dollars. Businesses that do not comply will fall into one of two categories, and the higher of these could cost €20 million or 4% of the business’s annual turnover, whichever is higher. Apart from any financial penalties data protection regulators have the power to order a business to cease processing.
It is highly likely that the first businesses to be penalized for non-compliance will receive significant attention. The reputational damage to businesses that do not comply with the new law could be more costly than the GDPR fines themselves.
It is very possible that some of your competitors will be preparing to use GDPR compliance as a competitive advantage to position themselves ahead in the marketplace.
Are you prepared to suffer the reputational damage that non-compliance could bring to your business? In the months and years ahead, data privacy could become the new arena for marketers to compete and win new customers, and your business should be preparing for that battle.
Data Protection Officer
In some cases, businesses will need to recruit a Data Protection Officer (DPO). The GDPR sets out guidelines when A DPO is mandatory in Article 37 of the GDPR and Article 38 explains the position of the DPO.
The GDPR is going to impact almost all operational teams within your business. Complying with the new regulation is going to require a lot of hard work, and it may be a best practice to centralize all the work under one person’s responsibility rather than having multiple data ‘chiefs’ within your business. If someone is accountable, then they take charge and put things into motion to achieve compliance.
For a business with no establishment in the EU but regularly processing the personal data of EU data subjects they may be required to appoint a representative based in the EU, to facilitate contact with EU regulatory authorities and EU data subjects.
Data Breach Notification
If a data breach does occur, your business must report the event to the appropriate data protection authority within 72 hours of becoming aware of the event.
Each EU member state has its own data protection authority that will be responsible for implementing the GDPR rules. Where the data breach poses a high privacy risk, a high risk to the rights and freedoms of data subjects (your customers), then those customers must also be notified by your business.
Prepare for Data Breaches
You will need to review and update the internal processes that you currently have in place at your business to detect, report, and investigate data breaches once they happen so you can comply with the timeframe and rules set down by the GDPR and supervisory authorities.
Record of Processing Legal Basis and consent
You will need to document the record of processing as set out in GDPR article 30 and understand and document the appropriate legal basis for processing of personal data. Understanding your legal basis should be part of the data audit. Where consent is the legal basis, for example for marketing lists, a business must be able to demonstrate how that consent was obtained. Consent should be granular, specific, freely given by an unambiguous affirmative action and as easy to withdraw as to give.
There is one exception in paragraph 5 of article 30 of the GDPR which may apply to small businesses where it states that a business or organisation employing less than 250 persons may be exempt from maintaining records under Article 30. This exemption would only apply where processing is not occasional, not likely to result in a risk to the rights and freedoms of data subjects or not involving special categories of data subject or criminal data.
While a large part of the GDPR regulation focuses on how businesses look after their consumers’ data, your business will also have to apply the GDPR standards to employee data.
Data Retention Policy
A data retention policy is a key GDPR component and the documentation and accountability requirement under GDPR means that the retention policy of organisations and businesses needs to be documented. To comply with the GDPR, it makes sense for organisations and businesses to audit the data they hold, document a data retention policy considering their statutory requirements and regularly review their processing and personal data held in line with their retention policy. The GDPR brings a requirement to demonstrate extra accountability so the organisation or business must be able to demonstrate compliance.
Once you have an understanding of GDPR, you should conduct an audit of what data you collect from EU subjects, how it is processed, and how it is stored (and where it is stored if it is transferred outside the EU). You also need to consider how consent is obtained to collect and process the data, and what measures need to be put in place so EU citizens can request access to their data to correct it, prevents elements of it being processed, or request its deletion.
The next step for small businesses is to conduct a data security risk assessment. This should reveal any vulnerabilities and weaknesses in your physical, technical, and administrative processes that need to be patched to avoid a data breach. Once policies have been created to fill the gaps in your data security, every employee in your business needs to be made aware of the policies and the importance of operating within GDPR.
Finally, you also need to check every business with whom you share PII is also GDPR compliant. If you collect the data of an EU subject, and the data is disclosed without authorization by a partner business, you may still be liable for the data breach. Although the breach may be no fault of your own, EU authorities will consider that you failed to conduct appropriately stringent due diligence on the businesses you are sharing data with.
Conclusion: GDPR Compliance is Important for Small Businesses
GDPR compliance is as important for small businesses as it is for large multi-national corporations. Consequently, many businesses have chosen to appoint a Data Protection Officer (DPO) to address to the GDPR requirements or appoint a consultancy business to get their GDPR preparations started before delegating the role to an existing employee. For further information about this option, please refer to our article “Do Small Businesses Need to Appoint a DPO under GDPR?”
Enforcement actions have already started against non-compliant businesses – even when a data breach has not occurred. In one of the first reported enforcement actions, a small hospital group in Portugal was fined €400,000 for not having adequate access controls, while a subsequent action was taken against a Canadian marketing business who targeted social media users and processed their PII without having a legal basis to do so, or the users´ consent.
A lack of knowledge is not an adequate excuse for failing to be GDPR compliant. Every business from a sole trader to a multi-national corporation needs to look at how they process personal data whether they are a Controller or Processor, and make sure the processes and policies are in place around personal data. There also must be measures in place to facilitate data access requests and procedures in place to identify and report a data breach should one occur. Putting in place appropriate technical and organisational measures to keep data safe and secure is key also.