Protecting client and customer data should be at the top of every small business owner’s list of concerns. And the General Data Protection Regulation, or GDPR, has been called “the toughest privacy and security law in the world” by the European Union.
For matters of data collection, privacy protection, and data security, the GDPR can serve as a helpful roadmap to keep small businesses on the right side of data handling best practices.
In this article we’ll take a look at what the GDPR is, how it was designed and intended to protect the rights of individuals, why it matters to U.S.-based small businesses, tips to help your small business protect sensitive data and ensure compliance, and more.
What is GDPR?
In effect since 2018, the GDPR is a set of data privacy laws designed to protect the rights of data subjects across all EU nations and member states. The GDPR establishes strict standards and rules about the personal information that businesses collect, process, and utilize. And due to the global nature of the modern economy, every business that wants to offer products or services to EU citizens has a legal obligation to ensure compliance with these guidelines. In fact, more than 70% of countries worldwide now have some sort of legislation in place to secure the protection of data and online privacy.
The General Data Protection Regulation is actually a framework of data protection principles, supported by dozens of articles, standards, safeguards, and requirements that are regularly updated to keep up with the way data is handled and protected.
This data, and specifically personal data which can clearly identify a person and their personal details, is typically what you hear about in the news when a company is “hacked” or suffers a data breach. Data can include names and addresses, of course, but also usernames, IP addresses, biometric data, and much more. A data subject is any individual who can be identified in some way via this information.
Essentially, the GDPR can be broken down into seven key principles:
-
Lawfulness, fairness, and transparency: Do you have permission to use the data, and are you using it fairly?
-
Purpose limitation: You’re obligated to respect the boundaries of the data permission you’ve been granted.
-
Data minimization: The way you use sensitive data must be limited to the purposes disclosed upon collection.
-
Accuracy: You’re obligated to ensure the accuracy of private data that you hold.
-
Storage limitation: Permission to use data is not a lifetime agreement.
-
Integrity and confidentiality: You, as data owner, are responsible for protecting that data from both internal leaks and external threats.
-
Accountability: The GDPR requires that businesses not only protect sensitive data, but also provide proof of how they’re protecting that data.
The goals of GDPR, then, are to minimize the amount of data that companies collect and store to only what is necessary, ensure that the data is secure and protected, explain to data subjects in plain language what is being collected and why, and hold organizations accountable for the management and security of the data they collect.
How does GDPR protect individuals?
There are a number of benefits for individuals, or data subjects, to be gained through the GDPR. First and foremost, data subjects have been much better informed and much more aware about what information is being collected and how it is being used by the organizations they interact with online. This knowledge can help customers gain a better understanding of when, where, why, and how long their data is being used by businesses.
Additionally, businesses can only collect data if they have a “legitimate interest,” meaning they have a justified use for the data they collect. In other words, businesses can’t just hoard your data as a resource; they need a clear reason for storing it, such as credit card information for payments or email addresses for mailing lists.
The GDPR also gives data subjects more control over their data. Individuals are able to object to the collection or use of their data, they can request that incorrect information be corrected (rectification), and they have the “right to erasure,” meaning that they can request their data be erased or purged for a variety of reasons. Individuals can also restrict processing of their data in some situations, meaning that companies can hold your data but not sell it or share it with others, for example.
Among the benefits for individuals or customers, data portability and marketing consent are also important considerations. Data portability means that the individual owns their data and can request it from one company in order to provide it to another. And marketing consent means that data subjects have more control over how many marketing messages they receive, or even whether or not their data is used for personalized or targeted marketing at all.
Why does the GDPR matter in the US?
As mentioned in the introduction, even though the GDPR is based in Europe, it’s still very important for US-based businesses because of the global economy. Simply put, if you want to offer your products or services to current or prospective customers in other countries, you need to be in compliance with the GDPR.
The potential for harsh fines and penalties is another important reason why GDPR is critically important for small business owners in the United States. Data Protection Authorities, or DPAs, are independent public authorities tasked with monitoring, supervising, and assessing the application of data protection laws. DPAs handle data breach reports, enforce protection laws, and interpret aspects of the law.
EU data protection authorities have made headlines for large fines levied against companies like Google and Marriott International, but all businesses are required to comply, no matter how small your organization or company.
In the U.S., there are also varying protection laws and requirements in place on a state-by-state basis. But because the GDPR is so comprehensive, complying with the EU regulations generally ensures that you will meet or exceed the requirements in any U.S. state as well as the supervisory authority in any EU member state.
In other words, if your business stays on the right side of the GDPR, you won’t have to worry about any other data protection regulations.
Why is data privacy protection important for small businesses?
While every business owner and executive should be concerned about the possibility of paying significant fines, there are many other reasons why data privacy protection is important for small businesses and can actually present a business benefit.
First, reviewing your business practices and processes can help to identify opportunities for easier business process automation and best practices around data. From streamlined data processing and data collection, to auditing the types of data that is being collected and stored, many businesses have seen their compliance efforts pay off in surprising ways.
Oftentimes, businesses may be collecting data without a clear understanding of why it’s needed or how it’s being used. In these cases, one of the biggest benefits of GDPR compliance is the opportunity to gain a better understanding of data–specifically, what’s needed and what isn’t.
For example, do you really need to hold onto the obsolete email address and expired credit card number of a customer who hasn’t interacted with your business in 12 years? This kind of audit can ultimately lead to big improvements in data management, and help segment audiences and better understand the truly engaged customers and how to reach them.
Many businesses in the U.S. are also adding Data Protection Officer roles to their organizations. A Data Protection Officer is a security leadership role required in the EU in order to ensure compliance with GDPR regulations.
In order to position themselves for increased business in the EU and future growth, organizations throughout the U.S. have found that creating this role or an equivalent yields many benefits to their overall security and data management efforts.
Finally, GDPR compliance gives customers more control. And this results in them trusting your organization more. Your brand is viewed more favorably, and data subjects feel more confident not only in doing business with your company but in sharing their information with you.
Risks of a data breach for small businesses
As mentioned previously, running afoul of GDPR regulations can result in heavy fines. But there are many other risks for small businesses that go beyond financial penalties.
While the old expression may say that “there’s no such thing as bad press,” businesses that experience a data breach with the ensuing legal fallout and backlash in the court of public opinion would probably disagree. The ramifications of a data breach may include damage to your brand, significant spending on PR and legal counsel, and a tarnished reputation if it appears that your business is not acting with the public interest in mind.
A data breach can also impact your company’s partnerships. In the case of joint data controllers, where two or more organizations decide why and how to process personal data, all parties can be considered liable in the event of a lawsuit stemming from the data breach.
This is not necessarily the case in relationships where there is one organization that is the data controller and then a separate data processor. In these cases, data processors are only held liable for violating their specific data processing agreement and not other violations that may arise outside of their area of responsibility.
Tips for small businesses to protect private data
When it comes to steps that small businesses can take to protect the private data that they collect and use, there are a number of options and best practices to start with today.
- First, performing an audit of current data is key. Often, data is stored in multiple places or multiple files, on different servers or in different applications, and so on. Managing this data can seem like an overwhelming task, but performing an audit first will make the other steps of the process much more manageable.
- Next, creating minimization practices and standards that reduce the amount of data you collect and keep is key to future-proofing your business’ data usage. By collecting only the information that is necessary (for fulfilling customer orders or direct marketing efforts, for example) and getting rid of anything else, you’ll be even closer to full compliance with the GDPR.
- Even with reduced data collection and retention, ensuring the safety of that data is key as well. Methods for this may include physical options (preventing theft and mishandling of devices), as well as policies regarding digital safety and security (more frequent password changes for employees, increased network security, reviewing firewalls and other software, etc.).
- Properly deleting or disposing of unneeded data is another key aspect of compliance. This can include instituting a company-wide policy about file retention, or even utilizing a secure deletion program that destroys any sensitive data after a certain period of time.
On top of these practices and processes, you will want to have a plan in place for how to deal with any breaches or security incidents. This plan should include communicating with customers, rectifying the situation, protecting other data that was not compromised, and additional steps to fortify your security for the future.
Ensuring GDPR compliance for your small business
There is a tremendous amount to consider when protecting both your business and your customers from potential data breaches. And while this article offers an introduction to some of the fundamentals of the GDPR and the requirements for business and service providers, there is still a great deal more to learn.
Whether you have a dedicated security team or your business is just starting out, there are countless IT experts and data security professionals that are part of the UpCity network. And each of these experienced organizations is ready to partner with you and provide a more in-depth, personalized analysis of how the GDPR affects your business and how you and your customers can benefit from the increased data privacy protection that will result from those efforts.