GDPR. What is GDPR? What do small business owners need to do when getting ready for GDPR? Where can I find a simple basic explanation of GDPR? What do small business owners need to do for GDPR? What requirements are imposed for data collection with the new rules in GDPR? What is a Personal Data Contract? When does the new data protection regulation enter into force? Does GDPR apply to companies outside the European Union? What happens if I do nothing about the GDPR? Where can I find a template for the Personal Integrity Data Contract? How bad can the fine be if you do not follow GDPR? Who is affected by GDPR?
What does GDPR mean for small companies?
European General Data Protection Regulation (GDPR) is the new data protection regulation within EU.
It is supposed to protect the individual’s right to privacy and the right to be forgotten/deleted from a registry or database.
All EU / EEA-based companies that handle personal data are required to comply with the GDPR.
A bit simplified, one could say that you no longer have the right to process personal data. In case you still have to do this, you must follow GDPR, and there must be a reason and plan for managing information that can be linked to a particular individual. You need to collect this data securely (encryption) and store it in a safe place (backups/encryption) and limit the access to this info.
GDPR applies to personal data you have in databases, on paper, in email and other files on your computer, USB memories, external hard drives and similar storage media.
The law applies to everyone being registered. It does not matter if it concerns a customer, a patient, an employee, a supplier or even yourself.
What is a personal data?
All data which are linked to a specific person. It may be Name, Bank Details, Social Media Comments, Photos, Emails, Health data, or even an IP Address.
Even images (photos) and sound recordings of individuals treated in a computer, or equivalent, may be personal data even if no names are mentioned.
You must now get an approval from each employee before you can post a photo of them on the website!
What does the small businessman need to do?
Justification. Your company must be able to motivate why do you have personal data and for what purpose?
If you can not motivate the storage, you must destroy these data.
However, keep in mind that the Bookkeeping Act takes precedence. Accounting documents, invoices, and financial statements must be saved for at least 5 years in the UK, up to ten years in many other countries. Within the EU the interval for achieving accounting information is between 5-10 years. The right to be forgotten does not apply to the data or documents you must file by law.
Exception. A previous customer or employee cannot request to have his or her data destroyed or deleted on e.g., an invoice that the company is required by law to save.
Data disclosure. You, as an entrepreneur, must now be able to obtain all registered information about a person on request.
You must keep in mind that your CV and personal letters, etc. which your company has received either must be destroyed/deleted after posting or updated eg, Each year with information to the affected person that you still have the information and if they need to be updated or removed.
Data Termination Policy (DTP). If you want to avoid unnecessary administration and risks in the future, you need to introduce a routine to get rid of collected data.
Hacking. If you get hacked, and someone accesses personal data in your files, this must now be reported to the relevant Authority in your country within 72h. As an example in the UK, you need to contact X.
E-MAIL. The most significant problem for a small business owner will most likely be the management of personal data in the mail. How do you delete information about someone in a mail conversation with several participants?
Do not use the e-mail as a storage location, but make sure to make PDFs or print the documents you need for accounting purposes, thereby enabling secure deletion of all mail when required, without losing data that you must file by law.
Do not send lists of personal info in the mail, send links to the document instead.
Encryption. If you have not switched to TLS / HTTPS for your website or blog, it’s about time! This is because GDPR means that you must be able to prove your company is/have been and will be, managing personal information securely and encrypted.
A simple question via a contact form with personal data through old HTTP can lead to a violation of GDPR!
You need to do this when GDPR goes online
In short, you can say that you need to inform a little more about saving personal data, how to handle and process collected information and how long you intend to keep it.
There won’t be a significant change for most of the small business owners in the EU since most countries have had privacy laws for a long time. However, it will be drastic measures for Google and Facebook, who are more or less buried in dubious personal data on the individual level.
Requirements for Data Collection
You should focus on these issues (Privacy by Design) when collecting data about individuals in programs or on a website:
- Restrict to data that only indirectly indicates an individual
- Restrict to less sensitive data
- Do not collect more information than you need
- Replace names with pseudonyms
- Do not routinely include social security numbers as fields in databases.
- Limit the number of sensitive data
- Protect personal data from unauthorized persons
- Use encryption
Data processing agreements
This may come as an unwelcome surprise for some of you. Starting May 25, 2018, you must have contracts with all their subcontractors regarding personal data processing. However, many already have this more or less since most countries in the EU has a Personal Data Act in place on a national level. All the major players and services will come up with these agreements for you. However, many of you will have external partners overseas (outside EU) for mail, server management, statistical services, digital archive, chat systems on websites, etc. Therefore, a new agreement may be required with one or more of your subcontractors regarding GDPR.
Does GDPR apply to companies outside the EU?
YES, non-EU companies selling services to EU citizens, or treating information about EU citizens, must comply with GDPR.
As usual, the EU believes that they can establish laws that the rest of the world is expected to follow even though the EU has no jurisdiction in other parts of the world. Hence, the rest of the world’s companies do not really need to follow GDPR, but the EU is trying to trick the world into believing this.
What happens if I ignore GDPR?
Organizations can receive fines of up to 4% based on total global sales per year, or a maximum of 20 million Euro. The maximum penalties apply to the most severe violations, such as insufficient customer consent to process data or violate the intention of the term Privacy by Design.
You can receive a fine of 2% if you do not have your records in order (Article 28). This also applies to situations when you need to notify an authority and unless you tell the regulatory authority and the registered person of the crime or not conducting an impact assessment. This also includes cloud services.
There are strict fines and penalties for errors, neglect, and problems concerning GDPR which could easily arise even in a small company or even for a sole trader.
How harshly this new legislation will be applied and enforced regarding small businesses is too early to say, but it will naturally frighten many entrepreneurs who may need to spend a lot of time, money and energy trying to comply with yet another package of bureaucratic and difficult-to-understand rules and laws with gray zones which are so wide they must be measured in Astronomical Units.
REMEMBER: Facebook is Skynet!
..and GDPR killed it 🙂