What small business owners should know about GDPR and why

As a U.S.-based small business owner, getting ready to comply with the General Data Protection Regulation (GDPR) regulation may not be at the top of your to-do list. Small business owners may think that the GDPR only applies to large, global companies that conduct business overseas, not for companies with fewer than 250 employees.

GDPR is one of the largest and most far-reaching global data privacy laws-and all businesses need to be GDPR-compliant with processes and documents in place. This new data protection law goes into force May 25, 2018 and will apply to all companies handling the consumer data of citizens within the European Union (EU), no matter the size, industry or country of origin of the business.

This compliance can seem especially overwhelming for small-business owners with less than robust resources. What should small-business owners know about the GDPR, and why does it matter?

What is the GDPR?

The EU member states proposed the GDPR in 2012 to create consistent data privacy laws. The GDPR provisions specify that:

• Anyone involved in processing EU consumer data, including third-party entities involved in data processing, can be found liable for a breach.
• When an individual no longer wants a company to process their data, the data must be deleted.
• For companies collecting customer data or processing sensitive data on a large scale, they must appoint a data protection officer.
• Companies and organizations must notify national authorities of serious data breaches within 72 hours of detecting a breach.
• For children under a certain age using social media, parental consent is required.
• Individuals have a right to data portability to enable them to transfer their data easily between services.

The implications of these far-reaching compliance requirements for smaller businesses point to the need for a GDPR-readiness strategy. To get you started, here is a checklist for small businesses to work through the process to GDPR compliance.

Are you ready for GPDR?

Understand the types of personal data your business is handling before making any decisions. What are you collecting-names, email addresses, banking details-and is that information considered sensitive, such as a person’s health history? Learn about your data sources, where and how long it is stored, and how it is used.

Develop a consent policy to process personal data and acquire consent from customers. Under the GDPR, consent needs to be explicit, clear and specific, which can make some activities such as marketing more challenging. If your company website does not already have one, develop and display your privacy policy which should explain the legal basis for processing personal data.

Review and update your security measures and policies and make them GDPR-compliant. If your business does not have a data protection policy, develop one that uses GDPR-compliant practices. Using encryption is recommended and can help your business avoid hefty fines in the event of a data breach.

Prepare for data access requests and fair processing notices. The GDPR stipulates customers have the right to access their data, correct inaccurate data, object to their data being processed, or even completely erase their data that you hold. Such requests must be processed and completed within the required time frame. You also must use fair processing notices to describe to customers what you are doing with their data. Describe how and why your company will hold their data, who has access to it, and how long your company will keep the data.

Make your consent process clear, specific and transparent. Your customers should be able to choose to be on your mailing list, as well as control over how you use their data. According to the GDPR, consent must be in the form of a request separate from other terms and conditions. It must also require a positive opt-in in which users must check “yes.” Opting for a mailing list does not give the small-business owner the ability to use a customer’s data for something else unless this is outlined. Individuals should also know how to withdraw from your database at any time.

Finally, data consent should constantly be reviewed. Schedule regular checks with your subscribers to ensure individuals wish to remain on your mailing list and document any changes to their consent.

Bottom line: Consult with a legal expert to understand the data privacy regulations and how they might impact your business. Assess processes already have in place and find out how to bolster your security practices. Get an expert if necessary.

Data protection officers, training employees and the supply chain

Your small business may not need a full-time data protection officer (DPO) if your business is not processing large volumes of personal data. It is, however, a good business practice to appoint someone responsible for data protection within the company or rely on a virtual DPO or outsourced option such as a contractor. All businesses should identify a primary point of contact responsible for data protection.

Under the GDPR, companies need to detect a serious breach quickly and report it to the appropriate authorities within 72 hours. Employee training can teach everyone in the business what constitutes a personal data breach and how to spot it. Employees should also understand the need to report any mistakes or breach to the person responsible for data protection quickly to comply with the 72-hour reporting window.

Do not forget to review your contracts with third-party vendors who also must adhere to the new regulations. Understand how your vendors will store, process, and access your business’s data. Ask what procedures your vendor has in place to meet regulations and how that company will address violations. Even if a third-party supplier mishandles data, your company could still be penalized.

Why does GDPR compliance matter?

From fines to compensation claims, there are serious reasons to become GDPR-compliant. GDPR noncompliance can trigger steep fines, as much as up to 20 million euros ($24.2 million at time of writing) or 4 percent of a company’s annual revenue, whichever is higher, even if noncompliance is accidental.

For small companies with pressing priorities, GDPR may not be the top objective. But no one likes having their data lost, stolen, damaged, misused or shared without proper consent. Doing everything you can to protect your customers and grow their trust could be a unique selling point, one that can be used to add value to your business.

Proving to potential and existing customers that your organization is compliant with new data protections will not only prevent costly mistakes, it also demonstrates your commitment to earning your customers’ trust and be the company that respects personal data, rather than letting it sit on a long-forgotten database.

This article is published as part of the IDG Contributor Network. Want to Join?