On May 25, 2018 the General Data Protection Regulation -GDPR Compliant came into effect. Up until that date, the guidelines and rules about personal information and privacy were lax and unclear. The main goal of the GDPR is to unite data privacy throughout the European Union. Enforcing strict rules about data protection or be subject to harsh fines.
Even if your small business or startup is based outside of the European Union, as per Article 3 of the GDPR, you’ll still need to be compliant with the laws of the GDPR if you process any personal information or store any data for citizens of the EU. If you’re not compliant, you may be found liable and face fines up to 4% of your revenue.
The process of becoming GDPR compliant doesn’t need to be complex and intimidating. If you’re a small business, come up with a plan for compliance that ensures your client and customer data is protected under the rules and laws of the GDPR. Consider using IT support services from a company you can trust to make sure you’re doing it right.
Here are some helpful tips for the small business and startup company for reaching compliance:
1. Know what data you’re collecting
Clearly understand what type of information you’re collecting from your clients or customers. Catalog this data so you’re aware of each bit of data you’re storing:
- Personal data, such as names, addresses, email addresses, and photos.
- Financial information, including credit cards and banking information.
- IP addresses.
Even information about health and religious views is considered sensitive data under the GDPR. You should have a good understanding of where this data is coming from and how you’re going to be using it.
2. Get consent
While the GDPR doesn’t hold you back from collecting data about users, it does require that you have a legitimate reason for storing that data. And that you have explicit consent from users before you collect that information.
Getting consent must be clear to your clients and customers by letting them use a positive opt-in that is separate from other conditions and terms. When you have their data, users have the following rights to their personal information:
- Right of access to the data you’re storing and knowing exactly what that data is.
- Right of rectification, where users can make corrections to their data. You’ll need to update your databases and systems with this corrected information.
- Users have the right to erasure, which means they can request that you erase any of their data that you’ve collected. Once again, you’ll need to comply and update your databases.
- Users have the right to object to your using their data.
- The data you collect falls into the right of data portability. This means that user data must be stored in a format that can be easily understood and shared with others so it’s clear and specific.
3. Understand your security measures and policies
Even small businesses need to have security measures in place to protect their client and customer data. Update your cybersecurity policies to protect user information. You probably already have security systems in place, but now is the time to review to ensure your policies and procedures are current with the latest technology.
Not only is security a big concern for GDPR compliant, cyber attacks cost SMBs millions of dollars each year. In a Data Breech Investigation Report, Verizon indicates that small businesses accounted for 58% of targeted cybercrime and attacks in 2018.
Another matter when it comes to GDPR security is being prepared to notify both users and data protection authorities within 72 hours if there has been a breech of data.
4. Ensure you can honor user access rights
With the GDPR in place, each individual has the right to access their own personal information and data. GDPR regulations state that you have a one-month period to honor user requests, whether they’re requesting that they have access to it, that it be corrected, or that it be erased. You need to make sure that your current technology and business processes can act on these user requests within the month.
5. Review your privacy polices
6. Make sure your business partners are also GDPR compliant
GDPR compliance requires that all the other partners you do business with, and share user information with, are compliant as well. This includes all your contractors, suppliers, and vendors. Reach out to these partners, requesting documentation about their own GDPR compliance. If they’re not compliant you can write a new agreement with them, requesting they begin the process of GDPR compliance.
7. Train your employees
All of your employees need to know about the GDPR key points about personal data. They’ll need to understand what personal data is and what relevance data protection has to their own tasks. A part of this training should also include how to identify a data security breech and who they should report to in the event of an occurrence.
8. Decide if you need a DPO
A Data Protection Officer (DPO) is there to advise and inform you and your employees about the correct practices for data collection and to monitor your business compliance procedures. Although a DPO isn’t usually necessary for a small business, you will need one if your business activities involve the “processing of sensitive data on a large scale”.
Final words on GDPR compliance for the small business
It can seem like there’s a lot of information to process. If you’re a small business or startup that needs to become GDPR compliant. Instead of thinking of the new rules as a hindrance. Think of the GDPR as something that is adding value to your brand and your business. Following GDPR rules is a good way to build trust with your clients or customers while staying compliant with the latest privacy laws and regulations.