GDPR stands for the General Data Protection Regulation; an EU regulation coming into effect in May 2018. All affected businesses will need to comply by 25th May 2018. Though implementation may seem inconvenient or confusing to small business owners, it presents a significant step forward for consumers in an increasingly data-driven world.
Does GDPR affect me and my small business?
If you offer goods or services to EU residents (EU data subjects) then this will affect you, regardless of the size of your organisation or whether your business is located in the European Union or not.
Chances are that your small business holds personal information belonging to your website visitors and/or customers – you may not realise just how much. This personal data can be in the form of names, telephone numbers, postal addresses, IP addresses, or even cookie strings.
The GDPR definition of Personal Data:
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
So basically anything and everything, from a photo or an email address to a biometric fingerprint or facial recognition. Just because you do not have their name (for example, a customer is using a pseudonym as their online username or is not logged in) doesn’t mean that their activity is completely anonymous and unidentifiable.
What do small businesses have to do?
The first step is to make yourself aware of how GDPR affects your particular business. This includes assessing what personal data you collect from individuals (data subjects), as well how it is stored, how it is obtained, and how it is shared.
Based on this assessment, you can then review your current privacy policy pages and notices (whether these notices are delivered verbally, digitally, or in print – in a way that can be documented), and update if necessary. How you seek subject consent should also be revised, if you currently assume consent on an opt-out basis. For your website, this means re-evaluating how you currently obtain user agreement for the collection of personal data. These agreements must be opt-in, so no longer will you be able to assume silent consent by way of pre-ticked boxes or other opt-out methods.
Not saying “no” doesn’t automatically mean “yes”.
What this also means is that it is no longer sufficient to display a cookie banner to website visitors informing them that “By using this site, you accept cookies”. This does not qualify as affirmative consent as there is no clear “opt-out” option. Additionally, website visitors should be able to withdraw their consent at any time just as easily as giving it.
You need to consider the rights of your customers in accordance with GDPR, and check the timeliness and practicality of the procedure should an individual request access to or the deletion of their personal data. Subject access requests can only be charged or refused should the request be excessive or unfounded, and your reasons will need to be explained to the individual concerned. With just one month to provide the subject with this, you should examine the logistics of these requests so that you are prepared.
Furthermore, you will need to ensure that you have a procedure in place for the detection, investigation, and reporting of any future potential data breaches.
What is the penalty for non-compliance?
Non-compliance will be penalised by up to 4% of global turnover for the previous year or €20 million EUR (whichever is higher).
What about Brexit?
The United Kingdom is highly unlikely to leave the EU before GDPR takes effect in May 2018. So what this means for the future is undetermined, but for now your business is still expected to meet this deadline. However, it was stated in the Queen’s Speech 2017 that the government is introducing a Data Protection Bill (replacing the outdated Data Protection Act 1998), which will include the implementation of the GDPR and continuance to meet the GDPR’s objective to protect the personal data of UK subjects, even after we have left the EU. So if you’re thinking this is a waste of time as a UK small business owner, you may want to reconsider your verdict.
Not only does compliance with GDPR benefit your customers, but it also benefits your reputation as a small business. It demonstrates to customers that your business cares about the security of their personal information.
The Information Commissioner’s Office (ICO) provide small organisations with plenty of practical advice and resources for business owners who need additional support in complying with GDPR when it comes to both their customers and employees.
You can read the official General Data Protection Regulation in full here: https://gdpr-info.eu/