If you read financial news with any kind of regularity, you have likely come across the acronym GDPR over the past several months. GDPR stands for General Data Protection Regulation. This law was enacted by the European Union and went into full effect in May of 2018. If you are an American small business owner, you may reasonably think that regulation passed by the European Union has nothing to do with your operations. Depending on the nature of your business, you may or may not be correct. If you own a business in the U.S without a physical presence in the EU, you more than likely have a web presence in EU that collects data over the internet. GDPR applies to local content and targeted marketing campaigns and practices, so if you’re an American-based service or product company that caters to an EU audience, you’re likely affected.
At LawTrades we refined our own security implementation and processes with an outside counsel by reviewing our data supply chains, creating new consent procedures, and learning from the compliance pitfalls of other companies in similar industries.
The GDPR affects any business, based within the EU or internationally, that accesses, analyzes or otherwise processes personal electronic data generated by residents of the European Union. If your business does not, in any way, interact with personal electronic data associated with residents of the EU, then the GDPR will not affect your company. However, if your business does interact with this kind of data in any way, you may need to take urgent steps to comply with the terms of the GDPR. It is important to understand that unlike many other international regulations, the GDPR applies to all businesses regardless of their size, location or industry-type. If your company interacts with the kind of data that the GDPR governs, it is time to check in with a compliance attorney.
Compliance with the GDPR will impact your company in a number of ways. Unless you have already taken steps to ensure that data is handled in detailed and highly specific manners, you will need to do so now.
The first step to take in remaining GDPR-compliant is to communicate with your customers and users — collect email mailing consent, update privacy policies and terms of services, educate them on how their information is being used, and when and if data is submitted, that it will be safeguarded. Creating a transparent message of how customer data will be used builds company integrity and emphasizes your company’s commitment to compliance of GDPR.
One of the efforts you may need to make in order to achieve compliance is to alter the way you store personal electronic data. Because any EU resident may request deletion or transfer of his or her information, all personal data related to a single individual must be easily accessible in a complete, accurate and portable form. In addition, because individuals must be notified in the event of certain high-risk situations and officials must be alerted in the event of a breach, it will be important to put protocols in place appropriate to these situations. And if your company collects or processes data that is particularly sensitive and/or does so on a large scale, your business may be compelled to appoint a data protection officer. A host of other nuanced requirements may apply to your business, so it is important to seek legal counsel if you need assistance ensuring full and proper compliance.
One of the biggest, and most time-sensitive, GDPR concerns is data breaching. The strict GDPR 72-hour breach notification rule mandates that a company’s data controller (an individual who “determines the purposes and means of the processing of personal data,” GDPR Section 4) report any event where data is not only stolen but changed, lost, or accidentally disclosed within 72 hours of discovery. For U.S. companies, a state-by-state breakdown is compiled by the National Conference of State Legislatures, with whom to to submit a report to. If your business operates in all 50 states, unfortunately, you would need to submit 50 reports. If deemed to be a high-risk breech where data subjects are adversely affected, personal data breach notifications must be sent out. Unlike the breach notification, there is no immediate deadline for issuing the personal data breach notifications but they should be sent as as soon as possible. Depending on the severity of the breach, fines of up to 2% of global revenue may be issued.
What Does GDPR Mean for Small Businesses?
Small businesses with more than 250 employees are required to be GDPR compliant and designate a Data Protection Officer (DPO), an expert of data protection law and procedures. Smaller-sized companies under 250 employees are required to comply with the GDPR if they process personal or sensitive overseas data on a regular basis.
For small businesses that may rely heavily on networking (whether in-person or through digital channels) to grow, this can mean putting in more work for not only company expansion but GDPR compliance. It is now illegal for a small business owner to take someone’s contact details from a business card or a LinkedIn connection’s contact information and add it to a contact list without his/her direct consent; receiving someone’s contact information doesn’t imply consent.
Large corporations have an in-house team of attorneys to assist in GDPR compliance. Even without such a large resource, small businesses can still achieve GDPR success: understand GDPR, know how your company collects data and where potential breaches may occur, create a consent policy to acquire user personal data, and make sure that it offers an active opt-in option. If this is a large undertaking for you as a small business owner, resources are still available for your disposable. Consider hiring a contractor to assist in remaining GDPR compliant.
Remain GDPR Compliant
Because GDPR noncompliance can lead to fines and penalties, it is essential to appoint a data controller who is able to demonstrate knowledge and processes of GDPR compliance. This includes data protection policies and how to adhere to GDPR code-of-conduct. The data controller can be a designated employee of the company, or a contracted individual. The controller must make sure principals are adhered to throughout the whole data processing lifecycle inclusive of “lawfulness, fairness and transparency, data minimization, accuracy, storage limitation and integrity, and confidentiality of personal data.”
GDPR is changing the way businesses source and safeguard user data. For small businesses processing data, compliance is within reach. Understanding GDPR, building data users’ trust through consent and data usage awareness, and making legal arrangements to safeguard that data are all essential to the process. Remaining GDPR compliant means building a business data users can trust.
How To Find The Right Attorney To Help
If you have questions about compliance generally or complying with the General Data Protection Regulation, you should with an experienced business attorney. Most GDPR focused lawyers will provide the initial call free of charge to assess your website. When interviewing attorney candidates, look to see if he or she has prior experience working with companies of similar size to yours, as well as experience completing both domestic and international compliance projects.
Compliance Assistance Is Available
It is essential to create business processes that safeguard personal data. Personal data may not be processed without the data users’ affirmation of consent. General Data Protection Regulation compliance can be challenging to navigate. LawTrades can help with data protection related matters. Let us connect you to a legal compliance attorneys who can help you remain GDPR compliant.