Small Businesses and GDPR: Navigating the Data Privacy Maze
Remember back in May when your inbox filled with dozens of emails and your push notifications from your personal apps, websites, and newsletters went into hyperdrive?
On May 25, 2018. The day the Internet officially changed.
The 99 articles explained within 11 chapters of the General Data Protection Regulation (GDPR) constitute the largest ever change to data privacy laws. While this new form of privacy law stems from the European Union, these new rules reign over citizens and Internet users here in the United States, too. And, yes, your own small business certainly counts.
Regardless of how large or small your company is, you have to be compliant. Here's what you need to know to be well-versed on what matters when it comes to the GDPR regulations.
According to CSO, the GDPR “will apply to all companies handling the consumer data of citizens within the European Union (EU), no matter the size, industry or country of origin of the business.”
Large companies like Spotify and eBay have consumers all over the world, which is why they’re targeting every consumer—even the ones living in the United States, like you.
What does GDPR compliance look like?
Anyone involved in processing EU consumer data, including third-party entities involved in data processing, can be found liable for a breach.
When an individual no longer wants a company to process their data, the data must be deleted.
For companies collecting customer data or processing sensitive data on a large scale, they must appoint a data protection officer.
Companies and organizations must notify national authorities of serious data breaches within 72 hours of detecting a breach.
For children under a certain age using social media, parental consent is required.
Individuals have a right to data portability to enable them to transfer their data easily between services.
Is your small business already GDPR compliant?
First, understand what kind of information you handle. Become familiar with what information you do collect from customers who support your small business. Are you collecting names, email addresses, banking details? Is this data considered sensitive data?
To do: Learn what data you do come into contact with, understand how long this data is stored, and how data like this is used.
Receive consent from customers
Within the GDPR parameters, consent needs to be explicit, clear and specific. These small changes may affect your current marketing strategies, adding a challenge. On your company website, make certain your privacy policy is clearly visible. Within this, explain when you plan to use processed personal data.
To do: Develop and share your privacy policy on your company website
Updating your security measures
If you’re not sure whether you have a data protection policy in place, develop one. Encryption is a recommended option, especially since having encryption as a layer of security can help your business avoid costly fines if there is ever a breach of data.
To do: Look into encryption options.
Why does GDPR compliance matter?
Understanding the implications of not becoming GDPR complaint is also crucial. Even if noncompliance is accidental, fines for non-compliant “firms” can cost you. Severe fines can creep upwards into 20 million euros ($23.6 million) or 4% of total revenue.
The bad press of having your business in the news for being non-GDPR compliant will hurt business too. Customers want to be certain their data and privacy is protected. High level of customer service is no longer only a firm handshake and eye contact. These days, customer service includes data protection too.
Privacy is a top concern for consumers. Utilize the GDPR as a time to gain the trust of your customers once again. Prove to them you and your small business respects personal data.