Is your organization compliant with the GDPR? Does it need to be?
Too many small businesses in the United States don’t know the answer to those questions. It’s understandable, especially considering that the GDPR is a European law. Plenty of US businesses assume that they don’t need to worry about it because they don’t target European markets and don’t process the data of European citizens on a large scale — but that assumption can get them into a lot of trouble.
Understanding the GDPR
The General Data Protection Regulation is a law that governs the use and security of electronic information. It was passed by the European Parliament in 2016 and took effect for European businesses shortly thereafter. In 2018, it became the law for all companies that have access to data belonging to European Union citizens.
How does GDPR compliance affect small businesses?
Don’t assume that, just because you’re a small business and you don’t specifically target European markets, you have no contact with EU citizens’ data. If you are present on the internet, chances are high that some of the traffic you receive comes from European countries.
Basic GDPR terminology
Here are the most important terms you need to understand as you evaluate your GDPR compliance needs and responsibilities:
- Personal data: Any information that can be tied back to a specific person. The term has the same meaning that “personally identifiable information (PII)” does in the US.
- Data processing: Any action performed on or with personal This includes collecting, deleting, storing, sharing and modifying.
- Controller: The organization that determines why and how user data gets processed. This usually refers to the business that’s collecting the information.
- Processor: A company that a controller hires to process personal data.
Data subject rights under the GDPR
- Right of access: Every EU resident has the right to gain a copy of the data that a company has on them as an individual, along with any information that can help them understand how and why this data is used and whether the use of this data is compliant with the regulation.
- Right to be informed: Data subjects can require a controller to disclose how they use personal data.
- Right to restrict processing: Individuals have the right to tell an organization how it may or may not use their data.
- Right to data portability: Data subjects must be able to get their personal information in an accessible format or have it transferred to another controller.
- Right to object: EU residents can require a company to stop processing their personal data.
- Right to rectify: Data subjects have the right to have their personal information corrected or completed.
- Right to non-automated decision-making: Data subjects have the right to not have legally relevant decisions made about them based solely on automated processing.
- Right to erasure: EU residents can require a company to erase their personal data (this right is applicable only under certain circumstances).
Every organization that is required to comply with the GDPR must provide channels through which all customers, partners and employees who are EU citizens can exercise these rights.
Data Protection for Small Businesses Under the GDPR
Is my organization subject to the GDPR?
Any company that processes the data of EU citizens, including third-party processors, can be held liable for improper collection and use of personal data of EU citizens or a data breach of this information. There is no automatic exemption in the GDPR for small businesses, whether they are small to medium-sized businesses (SMBs) or micro businesses.
However, there are certain exemptions for small organizations that don’t process GDPR-regulated personal data on a large scale. Most importantly, if your company has fewer than 250 employees and you process the personal data of EU citizens only occasionally, you are not required to keep records of your personal data processing activities unless any of the following applies:
- Your processing poses risks to the rights and freedoms of data subjects.
- You process this data on a regular basis.
- You process data related to “special categories” of data such as sex, racial or ethnic origin, political opinions, or health status, as defined in Article 9.
Most US businesses that don’t specifically work with or target EU markets and that have fewer than 250 employees will fall under this exemption, but it’s important not to simply assume that includes your organization.
Do we need a data protection officer (DPO)?
The DPO’s job is to make sure your data protection strategy complies with GDPR. You are required to appoint a DPO if any of the following apply:
- You are a public authority that carries out data processing of personal data protected by GDPR.
- Your main activities include systematic monitoring of data subjects on a large
- You process a “special category” of data. Be aware that companies are allowed to process special categories of data only under specific circumstances, such as:
- The subject has given explicit consent to have their data processed for specific
- The subject has explicitly given the public access to the relevant data.
- Data processing is necessary to provide medical care or for reasons of public health.
- Processing is necessary for the purposes of legal or public interest, the interest of a data subject, or obligations and rights in case of employment relationship, social security and social protection law.
Because there are so many contingencies regarding the processing of data, especially special data, it can be difficult to know whether you need a DPO. It’s always safer to appoint one, and the GDPR recommends having one.
The DPO does not necessarily have be a separate position; someone already in your company may assume these responsibilities. However, be aware that if you don’t have an EU office, you’ll need to appoint a representative in the EU.
What are the GDPR’s breach notification requirements?
If data regulated by the GDPR is lost, stolen or changed in an improper way, you have 72 hours from the time you discover the breach to notify the relevant supervisory authority. The GDPR also mandates that you notify all affected individuals pretty much immediately after you discover a breach.
However, if there is no risk to anyone’s rights and freedoms, you don’t have to notify either authorities or the affected individuals about the breach. Nevertheless, you still have to document the breach, its effect and all remediation measures that were taken.
How steep are the fines for GDPR violations?
Should you fail to notify the proper authorities about a breach, or are found to be out of compliance with any other part of the GDPR, you could be subject to fines of 4% of your company’s annual revenue or 20 million euros, whichever is greater. European authorities are penalizing not just big and famous companies, like Facebook and Marriott; smaller companies and even individuals are getting fined, too.
How can we ensure that we are GDPR compliant?
Hiring a consultant is often the best way to be sure of your compliance status, but not every small business can afford this expense. To ensure compliance with GDPR on your own, start with an internal audit and make sure you answer the following questions:
- What data do we collect?
- Is there a good reason for collecting all this data?
- How do we store, protect and document the data?
- When we collect new data, do we get the right permissions from the individual?
- How vulnerable are we to cyberattacks?
- If someone asks us to delete, amend or access their data, what is our process for satisfying the request and how quickly can we complete it?
Many companies won’t be able to answer all of these questions on the first pass. To get help, consider a software solution that will help you identify blind spots and ensure you have sufficient technical measures to ensure information security. It is a smart investment in your organization’s future.