What does GDPR mean for small businesses?

Jargon Buster

What does GDPR mean for small businesses?

GDPR stands for the General Data Protection Regulation; an EU regulation which came into effect in May 2018.

The GDPR definition of Personal Data:

‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
So basically, anything and everything, from a photo or an email address to a biometric fingerprint or facial recognition. Just because you do not have their name, doesn’t mean that their activity is completely anonymous and unidentifiable.

Does GDPR affect me and my small business?

If you offer goods or services to EU residents (EU data subjects) then this will affect you, regardless of the size of your organisation or whether your business is located in the European Union or not.

Chances are that your small business holds personal information belonging to your website visitors and/or customers – you may not realise just how much. This personal data can be in the form of names, telephone numbers, postal addresses, IP addresses, or even cookie strings.

What do small businesses have to do?

The first step is to make yourself aware of how GDPR affects your particular business. This includes assessing what personal data you collect from individuals (data subjects), as well how it is stored, how it is obtained, and how it is shared.

Based on this assessment, you can then review your current privacy policy pages and notices (whether these notices are delivered verbally, digitally, or in print – in a way that can be documented), and update if necessary. How you seek subject consent should also be revised, if you currently assume consent on an opt-out basis. For your website, this means re-evaluating how you currently obtain user agreement for the collection of personal data. These agreements must be opt-in, so no longer will you be able to assume silent consent by way of pre-ticked boxes or other opt-out methods.

Not saying “no” doesn’t automatically mean “yes”.
What this also means is that it is no longer sufficient to display a cookie banner to website visitors informing them that “By using this site, you accept cookies”. This does not qualify as affirmative consent as there is no clear “opt-out” option. Additionally, website visitors should be able to withdraw their consent at any time just as easily as giving it.

You need to consider the rights of your customers in accordance with GDPR and check the timeliness and practicality of the procedure should an individual request access to or the deletion of their personal data. Subject access requests can only be charged or refused should the request be excessive or unfounded, and your reasons will need to be explained to the individual concerned. With just one month to provide the subject with this, you should examine the logistics of these requests so that you are prepared.

Furthermore, you will need to ensure that you have a procedure in place for the detection, investigation, and reporting of any future potential data breaches.

What is the penalty for non-compliance?

Non-compliance will be penalised by up to 4% of global turnover for the previous year or €20 million EUR (whichever is higher).

The Information Commissioner’s Office (ICO) provide small organisations with plenty of practical advice and resources for business owners who need additional support in complying with GDPR when it comes to both their customers and employees.
You can read the official General Data Protection Regulation in full here: https://gdpr-info.eu/