General Data Protection Regulation (GDPR) came into effect in 2018 and has been a huge talking point in recent years. This new legislation will impact most businesses, so whether you are currently a business owner or you’re considering starting up a business, this is something you need to be clued up on.
In this training guide, Evalian take an in-depth look at what GDPR actually is, how it impacts small businesses and what this means for you. We’ll also help you to discover whether you’re already GDPR compliant and what you can do if you’re not.
What is GDPR?
General Data Protection Regulation is a new type of EU legislation designed to protect the rights of all EU citizens. In today’s technological world there are so many businesses and services that operate online, not to mention the variety of different social media platforms out there and businesses are always collecting data about their customers. All of these require people to share very personal information, which in turn has seen the misuse of this personal data increasing.
For this reason, new legislation was put in place to protect the rights of those sharing their data, particularly online. So, in a nutshell, the laws give people more control over their own data. In fact, the new legislation is set out to protect personal information such as names, addresses, emails, bank details, photos and social media content. But more than that, it is also there to protect sensitive data such as medical records, religious or political beliefs and details about your sexual orientation.
Originally passed by European Parliament back in 2016, the new legislation officially came into play in 2018. As a result, all businesses must now be GDPR compliant in order to prove that they are protecting the personal data of their customers or users. This has meant implementing new systems and changes for many businesses.
How Does This Affect Small Businesses?
The new regulations will affect almost all businesses. As a part of EU legislation, all those handling the personal data of EU citizens must comply, no matter what country they are based in. Otherwise they face backlash and potentially even being banned from working with EU based companies. As such, 99% of businesses are going to be affected by these changes in some way, some more so than others.
As a small business it can be tempting to think of GDPR as a burden and something that isn’t really relevant to you, especially when you’re starting out and you already have a huge to-do list you need to deal with. And while it’s understood that smaller businesses with less data pose less of a risk, it always pays to be GDPR compliant anyway.
The long and short of it is, if you are established in the EU and you process data from EU citizens, you need to follow GDPR. Routinely collecting personal data, whether that’s on your phone, an Excel spreadsheet or the Cloud, means you need to understand this new legislation. Besides, it’s actually easier to follow these rules than it is to try and find a way around them.
What If I’m Not GDPR Compliant?
As previously mentioned above, the governing body is aware that small businesses pose less of a threat, so they are willing to be more lenient. However, not being GDPR compliant can land you in hot water. For bigger businesses they face fines of up to $10 million. And while it’s unlikely you’ll receive this as a smaller business, it’s best to be proactive and try to follow the rules as much as possible. Otherwise you could find yourself receiving a very unwanted fine.
How Can It Help Me?
While it might feel like a complicated additional stress for your business, being GDPR compliant does have its perks! Firstly, because it prepares you for the growth of your business – after all, you might not always be a small company. Secondly, it protects you from facing a large fine or from complaints and claims from users and customers of your business.
But perhaps what is most important to you as a small business owner is that it can help you to boost your brand and gain the trust of your customers. If you can prove to people that you care about their privacy and that you have all the right systems in place to protect them, they’re more likely to choose your business time and time again.
Because let’s face it, no one wants their data stolen or misused, most of us have been at the end of an unwanted phone call or email as a result of our data being shared. So building the trust of your existing clients could also help you to boost your brand and attract more people to your business in the future.
How Can My Small Business Be Gdpr Compliant?
There are several steps you can take to ensure your small business is GDPR compliant and we’ll outline these in more detail below.
Know What Data You Have – you need to understand what constitutes personal and sensitive data. You also need to understand how you’re recording this data, where you’re collecting it from and how you’re using it. Being clued up will help you better comply with the new legislation.
Ask For Consent – asking for consent can be a grey area. Many smaller businesses try not to do this as it means writing out the terms and conditions of data usage in layman terms so that everyone can easily understand. But to be sure you’re covering yourself it’s always best to ask for consent first.
Create A ‘Fair Processing Notice’ For Your Customers Or users – if you’ve already built up a mailing list it’s a good idea to put together a ‘fair processing notice’ to send to all users or customers. This outlines how their data is being used by your business and their rights to access this data.
Ensure You’ve Got Proper Security Measures In Place – ensure you’ve got the best security systems in place, be this the latest technology, passwords, firewalls etc. You can always hire in a professional in the first instance to help you put these systems in place.
Prepare To Meet Access And Deletion requests – users have the right to request their information from you at any time, at which point you must send them a document containing all the information you have collected about them. They can also asked for this to be removed from your system at any time, so be prepared for these requests.
Train Your Employees To Report A Breach – teach your employees about the GDPR basics and how to recognise and deal with a security breach. Should you fall victim to a security breach, GDPR guidelines specify that this must be reported within 72 hours.