The General Data Protection Regulation (GDPR), which was implemented effective May 25, 2018, was created primarily to give European Union (EU) citizens more control over their personal data, as well as to simplify things for international businesses by providing a unified regulation that they can easily follow.

But if you think that the GDPR is only limited to European websites, you’re wrong: it applies to all websites that processes and store data of EU citizens, which is why you’re suddenly receiving all these emails detailing changes in terms and policies.

The GDPR comes with hefty fines for non-compliant businesses. Now that the GDPR has been implemented, here are some things small businesses need to do in order to be GDPR-compliant.

#1: Know the Data you Process

The GDPR primarily covers personal and sensitive data, though it also includes other types of data in its scope (such as big data). Knowing which visitor/customer data you collect, where it comes from, and where it’s going can make all the difference, especially if you’re questioned for breaching the regulation. Note that ignorance is not going to cut it as an excuse.

If you haven’t yet, review the data you collect, especially from EU citizens. Do an audit of your whole data collection process and identify any gaps.

#2: Ask for Consent

Two of the things that the GDPR promotes is transparency and empowering users to have more control over their data. Thus, websites that plan on continuing to process data will need to have clearer, more understandable privacy policies and have to ask users explicitly for their consent to process information.

The exception to the rule is when there is a lawful basis for a processing activity—such as insurance companies needing data for claims—and this should be mentioned in your privacy policy.

#3: Update your Website Security Measures

The GDPR was created to protect personal data, and a part of that is ensuring that no hacker can get their hands on sensitive information. If you haven’t yet updated your website security, do so as soon as possible.

Some things you can do to improve website security include:

  • Setting up an SSL certificate, which encrypts sensitive information as it’s transferred over the internet and makes it harder for hackers to decrypt.
  • Encrypting all your computers.
  • Updating all passwords for all users.

#4: Practice Accountability in Data Processing Activities

One of the requirements of the GDPR is the appointment of a data protection officer. However, this is only limited to large businesses or businesses that process an extensive amount of personal information. Regardless, if you operate a small business that doesn’t necessarily process a large amount of personal data, it still pays to do what’s necessary from an accountability standpoint.

Train your employees on key GDPR concepts, especially as to what constitutes a data breach. The new rules associated with GDPR requires that you report these breaches within 72 hours of them happening.

Final Thoughts on What Small Businesses Should Do to be GDPR-Compliant

The GDPR is quickly becoming the new standard for data privacy. Although the regulation is only applicable with regards to the data of EU citizens, all websites that process the data of EU citizens are still affected. With or without the hefty fines, website owners should comply with the GDPR for improved data safety.

Need help understanding how to be GDPR-complaint? Get in touch with the data experts at Harrington Technologies.