From May 25, 2018, the EU General Data Protection Regulation (GDPR) has been in force – A regulation that not only applies in Europe, but around the world. Any business that collects or processes the personal data of EU residents is required to comply with GDPR, regardless where that business is located.
Most large companies started their GDPR compliance efforts well in advance of the GDPR deadline, although many small businesses have left it until the last minute, only to discover a considerable amount of work needs to be done.
If you run a small business and have yet to comply with the requirements of GDPR, or you mistakenly believe that GDPR does not apply to you, you could face a considerable fine for noncompliance. The maximum penalty for noncompliance with GDPR is up to €20 million or 4% of global annual turnover, whichever is the higher.
Does GDPR Apply to Small Businesses?
The text of GDPR explains that there is a distinction between large and small businesses. A small business is defined as one that has fewer than 250 employees. There is a common misconception that GDPR does not apply to small businesses. Article 30 of GDPR explains that small businesses are not required to comply with Article 30 requirements which cover the need to maintain records of all processing activities involving the personal data of EU residents.
If a small business carries out data processing activities that could result in a risk to the data rights and freedoms of data subjects, if processing activities are not occasional, if a small business processes special category data detailed in Article 9 (1), or if personal data relating to criminal convictions or offenses are processed, then compliance with Article 30 requirements is mandatory. Special categories of data include information related to religious beliefs, race, ethnic origin, political beliefs, trade union membership, health, sexual orientation or sex life, genetic information, and biometric information.
Even if a small business does not meet the above criteria, all that means is they do not have to comply with the record keeping requirements. It does not mean small businesses are exempt from other requirements of GDPR.
GDPR applies to all businesses established in EU member states and any business that collects of processes the personal information of EU residents. GDPR is intended to make businesses think carefully about the privacy of data subjects and to ensure appropriate safeguards are implemented to ensure any data collected and processed is secured. GDPR also gives data subjects rights over what is done with their data and gives them the right to be forgotten – have their data deleted.
What Do Small Businesses Need to Do to Comply with GDPR?
If you have yet to make a start on your compliance program, the first step is to complete a data audit. You must know where all data are held or processed. Data are unlikely to be in a single place.
Not only must you know where data are to ensure information is protected, if a data subject exercises their ‘right to be forgotten,’ all data relating to that individual may need to be deleted. Further, if a valid Subject Access Request (SAR) is received, businesses must be able to produce all personal data maintained or processed on an individual and there are strict time limits for providing that information. It is therefore essential to know data are located. Small businesses should note that it is not only customer data that are subject to GDPR regulations. GDPR applies to employee data (past and present), and data of business contacts and suppliers.
Your data audit must cover all devices – desktop computers, servers, mobile devices, storage devices – as well as any data that may be stored in the cloud. This is likely to be a time-consuming task. You must also know why you are holding or processing those data, where the data have come from, how long the data will be retained, and how the information will be used.
Consent is required to process personal data. Personal data includes IP addresses, so website owners must also comply with GDPR. Consent must be obtained before any personal data are collected or processed, and consent must be informed and unambiguous. It is no longer acceptable to have website users give consent via a checkbox with all uses of data already checked. If that is how you obtained consent before, you will need to obtain consent again. It must be made clear to data subjects what information is collected and how it will be used. Personal data cannot be held indefinitely. The information can only be retained for as long as it is required to complete the task for which the information was collected. Data collected or processed must be adequately protected and policies and procedures developed to keep data secure.
Employees need to be trained on their responsibilities under GDPR to ensure that know how to keep data secure and how the privacy of data subjects must be respected. Businesses must be prepared for data breaches and have a response plan in place. Data breaches must be reported to the supervisory authority within 72 hours of the discovery of a breach.
These are just some of the requirements of GDPR for small businesses to be aware of. It is essentials that all small business owners read the text of GDPR and understand the requirements and ensure they are in compliance with all aspects of the regulation.