GDPR Compliance, What Small Business Owners Need to Know

As of May 2018, the European General Data Protection Regulation (GDPR) is in place. If you run a small business, failure to comply could see steep fines of up to 4 percent of turnover. Let's take a look at what you need to know.

What is GDPR?

First, we'll deal with what changes GDPR brings into play. There are two main principles:

1. Handing people more control of their personal data2. Introducing a single, unified regulation for businesses across the EU

GDPR applies to every EU business and (in some circumstances) to companies outside the EU that process EU citizens' personal data.If your business's activities include processing extensive personal information, you must appoint a Data Protection Officer (DPO). They'll ensure you comply with GDPR and be the point of contact for queries.

For individuals, the main thrust of the regulation is that they get more rights on how organisations use their data. This legislation could mean having ‘the right to be forgotten' if they don't want you to process their personal data and you've no legal grounds to hang on to it.

If you don't comply, penalties can be harsh. GDPR has introduced fines of up to €20 million or 4% of annual turnover, whichever is the greater.

GDPR: A checklist for small businesses

1. Know your data

You must show that you understand the types of personal data (such as addresses and bank details) and sensitive data (such as religious affiliation) that you hold. You should know where it comes from, where it goes and how you use it.

2. Are you relying on consent?

If you're relying on consent to process personal data, business activities are trickier under GDPR because consent must be clear and explicit. Try to avoid relying on consent.

3. Update your security

Update your security measures and policies to ensure they're GDPR-compliant. Not got any? Get some in place. Use encryption software to protect your data.

4. Deal with access requests promptly

You should respond to access requests within one month. Under Subject Access Rights, people can access all of their data and have anything that's inaccurate corrected. In some circumstances, they can have everything you hold on them erased.

5. Train your staff

Make sure your staff are up to speed on GDPR. They'll need to know what's meant by a serious breach. Build in red-flag processes and report serious breaches within 72 hours. Make sure everyone knows to report mistakes to the DPO.

6. Check your supply chain

Do due diligence on your supply chain. They should be GDPR-compliant to avoid penalties. You must also check your contract terms – suppliers have obligations to meet, such as notifying you promptly of any data breaches.

7. Create fair-processing notices

Under GDPR, you must tell people clearly what you're doing with their data. A fair-processing notice gives them this information. The notice should describe why you're processing their data, which recipient categories you're sending it to, and how long you'll hold it.

8. Do you need a DPO?

Do you need to appoint a Data Protection Officer (DPO)? Probably not as a small business, unless your core activities include ‘regular or systematic' large-scale monitoring of data subjects.

9. What about old data?

You mustn't hang on to personal data longer than necessary, or use it for any reason the person's consent. To ensure compliance, identify your data categories – what personal data you have, and why.

10. What about consent?

Under the new GDPR rules, consent has been redefined. You can no longer bury requests for approval in small print. They must be presented clearly and distinct from other communications. That means the end of the pre-ticked box.For pre-existing personal data, consent might not be needed, provided you have a legal basis that complies with current legislation. If in doubt, it's best to ask for confirmation and keep a record of it. Inactivity is no longer a justifiable way to gain permission.

Why you should care about GDPR?

If you run a small company, you might see GDPR as a pain in the neck. But it's actually an opportunity. Trust is a core tenet of business. So, by showing potential customers you have your legal ducks in a row, you could end up better off.People aren't keen on having their data lost or misused, so protecting your clients from this might be a unique selling point.

Surely, GDPR doesn't apply to your small business?

Wrong. GDPR applies to all EU businesses. Just ask yourself how regularly your business deals with personal data. That includes customers, suppliers, and employees past and present. And is there anything else you've collected that doesn't fall into any of these groups?

GDPR: How to get consent

So, how do you get your customers' consent to use their data? Broadly:

• Don't rely on pre-ticked boxes or default options
• Get explicit consent – a specific statement
• Keep consent requests separate
• Name third parties that rely on the consent
• Make withdrawing consent easy
• Keep all evidence
• Don't make consent a precondition of doing business

Ultimately, consent is all about putting people in control, building trust and engagement and gaining an even better reputation.