GDPR implementation is applicable for small businesses as well as for big corporations. Companies that have more than 250 employees are subject to the law. And even companies that have less than 250 employees and process personal information also need to comply.
A business needs to have a data protection officer (DPO) an information management consultant and specific procedures for cases of leakage. Although it might be more challenging for a smaller business to hire an information technology consultant than for a huge corporation, it is as crucial.
Any information collected before the GDPR is also protected by it.
Despite GDPR being in power for more than a year, the research shows that millions of small businesses are not compliant with the regulations.
There are three main problems that small businesses face when struggling to comply. The first is describing the data collection and processing in clear language. The second is understanding whether they have a lawful basis for such data collection and storage. And third is the implementation of advanced methods of data protection, such as encryption. Overall, the research shows that business owners do not always have the level of expertise necessary for taking all the measures to comply with GDPR, as some of them are confused with terminology. In such a case, it is essential to hire professionals to help with it.
The main reason why organizations and companies choose to adjust their work to the new regulations is the fear of penalties. Those, who fail to comply with the law, can get quite a fine. The business can be now fined up to €20 million or 4% of annual turnover if it is bigger. And these numbers are especially drastic for a smaller business.
However, the fear of fines is not the only reason, why a business should adopt new protocols.
GDPR Provides Opportunities for Small Businesses
Some people might view this law as restrictive and more of a burden, it also gives opportunities.
First of all, it makes a free and safe data flow possible in the EU. It helps a business to be more flexible in its activities and process data in any EU country. In the future, it will also be easy to process data in other countries, which offers new business possibilities.
Secondly, compliance with regulations can be cost-effective. For example, it allows deleting all unnecessary and old data, which is often quite costly to store. By reviewing and deleting all useless information, a company can save a lot of money on cloud storage and backups.
Thirdly, it endorses the rising market of cybersecurity companies and providers.
Also, a clear policy and compliance with the law builds more trust within customers. It is a great selling point in terms of marketing, as people want their personal information to be protected.
Look at the RSA Data Privacy and Security Report to see how high the concern is amongst customers.
- 62% of respondents said they would blame the company for the breach before hackers. They expect clarity and protection from a service provider.
- 55% of customers claimed to avoid providing information to businesses, which have sold or misused their data without consent.
- 54% of people are less likely to buy products from a business that misuses personal information;
- 82% of British respondents are likely to boycott a business that repeatedly disregards data safety.
And the fear of enormous fines comes from a misunderstanding of the protocol. GDPR treats different companies differently depending on their size and endorses only “reasonable measures”. In the case of fine, the size and activity of a business will determine the severity of means.
GDPR Compliance Checklist for a Small Business
To be sure that everything is according to the law; a company should take several steps:
- Learn exactly what data you are collecting and processing as well as the storing mechanism. Use IT consultancy services if needed to figure out all types of personal information you are working with. Maybe it is IP addresses, demographics, payment details, emails, etc. Account all past and present data, including customers, employees, and suppliers. Learn about the essentials of data protection in terms of technology and the legal basis.
- If you rely on customers’ consent of data processing, create a transparent and explicit policy to get this consent. Before writing it, look at the guidelines and examples. For example, Google was fined $57 million for not having a clear message to users on how they collect data.
- All previously gathered information should be re-consented by customers. If they do not re-consent, you must delete it. For instance, send out re-consenting emails or show a pin-up message on the website like “data proceeding updates” and create an “accept” feature.
- Update security measures and protocols. Hire an IT consultant to provide encryption and the most advanced means of security. Create protocols to control access, input, availability, and disclosure of the information.
- Get ready to access requests. Customers can request the full information on their data, its copy, and ask for complete erasure. The company has a deadline for up to one month to satisfy such a request. Hire a responsible person and write a straightforward policy on steps to take in such a situation.
- Create a strict breach policy and designate the responsible professionals. In case of a breach, a company has to notify institutions and customers in 72 hours.
- Make sure that all your suppliers are GDPR compliant. If the breach happens on their side your business can also face penalties.
- Create Fair processing notices — guidance for customers on what you are doing with their data. Make it easily accessible.
- Consider employing a full-time DPO. If you are constantly working with sensitive information it is a must. Although not every business has to do it according to the regulation, it can be extremely useful if you constantly process personal data. Now, there are 500,000 DPO employed, which is 6 times more than it was expected 3 years ago.
GDPR might seem complicated and challenging at first, but it is beneficial for companies and customers. It protects the users and a company if it is compliant with the law.
The implementation of all necessary measures brings transparency and trust in relations with customers.