What GDPR Means for Small Businesses

What GDPR Means for Small Businesses

The EU’s General Data Protection Regulation (GDPR) law goes into effect on May 25, 2018, and it applies to any company that handles EU consumer data. Here’s what small business owners need to know.

For many in the U.S., the GDPR became known only recently, when it  came up during the congressional hearings over Facebook’s data sharing scandal. When Mark Zuckerberg testified that Facebook will be implementing all the guidelines set forth in the GDPR, many viewers asked themselves, “What in the world is the GDPR?”

The GDPR prescribes rules for protecting the private and personal data of citizens within the European Union. The regulations require companies (parties called “data processors” or “data controllers,” depending on their role) to establish documented processes that robustly protect the data of any EU customers, employees, suppliers or anyone else whose data they collect (collectively called “data subjects”). This data can include names, contacts, medical information, credit card numbers, bank account numbers or anything else that can be considered personal or private. Protection begins by notifying individuals that you will be collecting certain data, whether on sales contracts, in terms of service agreements or on websites, and getting their consent. These notifications must be clear and easy to understand. Upon request by individuals, companies must deliver personal data for review within one month, at no charge, and that data must conform to a portable format that can be used to switch providers. Individuals have the right to erasure, which means companies must delete all of an individual’s stored data upon request, unless that data must be retained for legal reasons, like taxes. Finally, if a company suffers a data breach, it must be reported to the appropriate authorities in a timely fashion.

While Article 30 of the GDPR seems to imply that these regulations don’t apply to small businesses (less than 250 employees), there’s a big exception that will pull in a large number of small businesses. If any small business processes personal data that affects the “rights and freedoms” of EU citizens, or processes their personal data regularly, or processes data qualifying under Article 9 (a wide range of information including race, sexual orientation, religious or philosophical beliefs, health, political opinions, etc.), then they must comply with the GDPR.

Penalties for non-compliance include stiff sanctions, including costly fines that could really hurt a small business. Compliance won’t be easy, however, and many experts suspect that most small businesses are nowhere close to ready, or even aware of these requirements.

Some commentators view the GDPR as a racket and a shakedown, with a combined $7.8 billion invested so far in compliance by American companies alone. If you’re a small business owner hoping that you’ll be safe in numbers — just one small non-compliant American company running in a large herd of non-compliance — consider your gambit wisely. In this digital age, EU authorities will be able to quickly audit businesses at global scale, and you can be assured that plenty of EU citizens will begin to make independent demands of companies that hold their data.