The General Data Protection Regulation (GDPR), which was implemented effective May 25, 2018, was created primarily to give European Union (EU) citizens more control over their personal data, as well as to simplify things for international businesses by providing a unified regulation that they can easily follow.

But if you think that the GDPR is only limited to European websites, you’re wrong: it applies to all websites that processes and store data of EU citizens, which is why you’re suddenly receiving all these emails detailing changes in terms and policies.

The GDPR comes with hefty fines for non-compliant businesses. Now that the GDPR has been implemented, here are some things small businesses need to do in order to be GDPR-compliant.

#1: Know the Data you Process

The GDPR primarily covers personal and sensitive data, though it also includes other types of data in its scope (such as big data). Knowing which visitor/customer data you collect, where it comes from, and where it’s going can make all the difference, especially if you’re questioned for breaching the regulation. Note that ignorance is not going to cut it as an excuse.

If you haven’t yet, review the data you collect, especially from EU citizens. Do an audit of your whole data collection process and identify any gaps.

#2: Ask for Consent

Two of the things that the GDPR promotes is transparency and empowering users to have more control over their data. Thus, websites that plan on continuing to process data will need to have clearer, more understandable privacy policies and have to ask users explicitly for their consent to process information.

The exception to the rule is when there is a lawful basis for a processing activity—such as insurance companies needing data for claims—and this should be mentioned in your privacy policy.

#3: Update your Website Security Measures

The GDPR was created to protect personal data, and a part of that is ensuring that no hacker can get their hands on sensitive information. If you haven’t yet updated your website security, do so as soon as possible.

Some things you can do to improve website security include:

  • Setting up an SSL certificate, which encrypts sensitive information as it’s transferred over the internet and makes it harder for hackers to decrypt.
  • Encrypting all your computers.
  • Updating all passwords for all users.

#4: Practice Accountability in Data Processing Activities

One of the requirements of the GDPR is the appointment of a data protection officer. However, this is only limited to large businesses or businesses that process an extensive amount of personal information. Regardless, if you operate a small business that doesn’t necessarily process a large amount of personal data, it still pays to do what’s necessary from an accountability standpoint.

Train your employees on key GDPR concepts, especially as to what constitutes a data breach. The new rules associated with GDPR requires that you report these breaches within 72 hours of them happening.

Final Thoughts on What Small Businesses Should Do to be GDPR-Compliant

The GDPR is quickly becoming the new standard for data privacy. Although the regulation is only applicable with regards to the data of EU citizens, all websites that process the data of EU citizens are still affected. With or without the hefty fines, website owners should comply with the GDPR for improved data safety.

Need help understanding how to be GDPR-complaint? Get in touch with the data experts at Harrington Technologies.

On May 25, 2018, the European Union’s (EU’s) General Data Protection Regulation (GDPR) came into full force. It is the most important change in data privacy regulation in 20 years, replacing the the Data Protection Directive 95/46/EC.

While seeking to give the citizens of 28 EU countries more control over their personal data, at the same time, GDPR simplifies data regulations for both local and international businesses with a unified regulation that stands in the EU.

Despite the fast-approaching implementation date, there is still much confusion surrounding the GDPR, especially in terms of what it means and what businesses should do about it. In fact, it was found that 84% of SMEs are still unaware of these policies, which might have something to do with the fact that the entire policy is 200 pages long. With this in mind, Gartner predicts that by the end of 2018, more than 50% of companies will not be in full compliance with its requirements.

As a business owner, here are the basics you need to know about the GDPR.

What is the GDPR?

In a nutshell, the GDPR looks out for the data privacy of individuals by requiring businesses and organizations to provide and develop clear policies to protect personal data. It also pushes them to adopt appropriate technical and organizational measures.

GDPR was built around two key principles:

  1. Simplifying and harmonizing directives for international businesses by unifying the regulations within the EU
  2. Giving EU citizens and residents more control over their personal data.

In fact, with the GDPR, explicit content is required before companies can process data, and citizens can request for access or information as to how their data is used. The GDPR also allows citizens the ‘right to be forgotten’. This means that if they do not want you to process their personal data, or if you have no legal grounds for keeping the data, like if a person is no longer a client of your company, you must respect their decision.

Companies that are not compliant with the GDPR can be fined up to 20 million euros (about US $24 million), or 4% of global revenues—whichever is greater.

Will this Affect US Businesses?

One criticism of the GDPR is that they have not defined territorial scope adequately. But in a nutshell, the GDPR will apply to businesses that processes any data from citizens of the EU. Put simply, yes, the GDPR affects US-based businesses.

Before you get too worried, Article 3 of the GDPR states that the rule only applies if you collect personal data from an EU citizen within EU borders. But if the EU citizen is outside of the EU, GDPR does not apply.

Anyone found breaching any of these laws must be reported to the regulator within 72 hours (24 hours, if possible).

Final Thoughts: GDPR Basics for Businesses

With so much recent news about data breaches, the GDPR is a step in the right direction on controlling data privacy and will change the way Europeans approach data privacy. Once this is implemented and proves successful, there’s no doubt that more countries will follow suit.

Learn more about the GDPR on the EU’s website about this new policy.