How Will GDPR Affect Small Businesses?

Generally, it affects small business in the sense that now they would have to review their privacy policy. Any data collected by the business has to have consent as outlined by the GDPR. Consent is more stringent where people now need to give express consent. So basically, click a button saying yes, I do consent as opposed to implied consent by using the website. Small business must do a data audit which is not an easy task. However, there are companies that can be hired to do such things. Additionally, customer or clients need to be very clear on what they are consenting to. So, the consent message cannot be vague like what most websites have had before. Business also needs to be more vigilant and know what data they are collecting and notify users of any updates and so on. There is the third part aspect as well in which case business has to understand what it is doing when say they're using pay pal for purchases. effectively it does increase the administrative burden but protects the consumer

GDPR makes sure that every EU user of any online services - whether their Twitter accounts, eBay, Paypal, shipping information or more comprehensive cloud computing package – is able to control their data. The EU General Data Protection Regulation (GDPR) is the most important change in data privacy regulation in years. This policy directive was adopted in May to make Europe fit for the digital age.

The GDPR brings a lot of extra work for organizations that are considered to process Personal Data. For small businesses who feel overwhelmed with all the attention and threatening articles, here is a very easy GDPR-compliance checklist you can go through.

 1) Understand What is Personal Data

GDPR is all about the personal data and you should understand what is considered as “personal data” under new regulations and what kind of those that you deal with. Chances are that you do collect personal data, even if you are collecting the names and telephone numbers of your customers, you do collect personal data. Also, know how do you collect that data, how do you use them and how do you storethem. 

“Personal Data” (PD) means any information relating to an identified or identifiable natural person (“Data Subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person Regulation. 

2) Check if the people in your database have given consent (from EU)

GDPR states that all personal data collected requires proof of consent. “Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. Direct consent is given for example if you have consent from your customers to collect their personal data for business operations purposes, you cannot send them marketing materials with the same consent. 

3) Perform a Data Protection Impact Assessment (DPIA) 

By performing a DPIA under the GDPR helps an organization to identify, assess and mitigate or minimize privacy risks with data processing activities. They are particularly relevant when a new data processing process, system or technology is being introduced. The DPIA Register is a spreadsheet (for example Excel template) that keeps track of all the data breaches that have happened and how they were dealt with.  

4) Create or update the external Privacy Policy and Data Protection Policy

Make sure your website is updated, for example with a Privacy Policy and a Data Protection Policy that is according to the new GDPR directive. Use the definitions from the GDPR, mention the new changes you will make related to and send a notification to the people in your database with a request to continue doing communication.

5) Prepare for Access Requests

Under the GDPR, all citizens will have the right to have insight and access to their personal data. Also to rectify inaccurate data or object to their data being processed or even completely erase any of their personal data you hold. You must be able to process such requests within a prescribed period of time. 

6) Create a “Request to Access Personal Data” Button or Page on your Website

Under GDPR, all EU residents will have “Access-request” right over the companies and organizations that collect their personal data. Using that right, they will be able to access their personal data that was collected about them. Having a clear Request solution as well as privacy and data protection policy page on your website will make it easier for you to handle those requests.

7) Explain the changes in the law to your Employees

Make sure your employees are aware of the changes in the law. Send them a brief memo with topics that are relevant to know. Explain possible responsibilities for employees that came with the introduction of the new GDPR directive regarding compliance. They should be able to notify responsible persons in your organizations in case of data breaches or other violations.

8) Check if Your Suppliers are GDPR-ready

Contact your suppliers in time to make sure that the suppliers take action to prevent data breaches and other violations. They need to review their policies and contracts to ensure that you will not have any sanctions caused by third-parties and your suppliers. 

9) Do I need to appoint a GDPR DPO (Data Protection Officer)?

The GDPR is choosing consumer trust ahead of the business’s interests. From a legal perspective, that fosters the objective that the GDPR creates an accountability and transparency demand (specifically to the consent of the Data Subjects), it appears that to be compliant you need to appoint a DPO. However, when carefully reading the GDPR directive, you can conclude it’s not specified when a DPO should be appointed. A soon to be Supervisory Authority will provide us with this answer. This will depend on the data intensity of your company.  Article of GDPR document states that companies and organizations need to appoint a Designated Data Protection Officer (DPO) when these conditions are met,(a) The data processing is carried out by a public authority or body. Or(b) The controller’s or processor’s “core activities” require “regular and systematic monitoring of data subjects on a large scale” or consist of “processing on a large scale of special categories of data.” You might consider appointing a DPO, just to be sure, but no need to hire one. 

Source: GDPR impact on small business and a Presentation: How will GDPR affect small businesses?