Header

A Small-Business Guide to GDPR

May 30, 2018

Businesses have been scrambling to prepare for the impending enforcement of the General Data Protection Regulation, or GDPR. The term seems to be everywhere but yet unclear in its definition, which perhaps is why GDPR is being searched more than Beyoncé lately. As an almost 90 page document with 99 Articles, the regulation has a lot of information and thus creates a bit of confusion.

Should you care?
This regulation is going to affect major companies and how they handle data. It could potentially affect your own business, which would require you to take significant steps to address the requirements of the law. It could also open up new jobs specifically addressing the changes. Even if it doesn’t affect your business, it is relevant in that it affects your rights as a consumer. Any EU or large American companies will likely have to comply to GDPR, meaning your privacy rights will be greatly increased during dealings with them. So, in short, yes you should care!

Will it affect you?
GDPR is a regulation for the EU, and will mainly only apply to the businesses located there. However, any businesses that cater to and collect data of individuals within the EU will also need to comply with the regulation. Large American companies like Google, Facebook, and Amazon have been making changes in order to satisfy GDPR requirements. They also have to ensure that their users are in compliance with GDPR when using business services such as Google AdWords or Facebook for Business. Thus, experiences on those sites may differ slightly as they implement changes. Make sure you are complying with the sites’ privacy policies, and that you are clear on your own policies.

Should you take action?
Like we stated above, you may have to make some changes anyway, if you’re a business with EU customers or if you are using services from businesses that do. If you’re expecting to grow your company outside of the US in the future, adopting the policy could help you and avoid a rough transition later down the line. Furthermore, this trend toward data protection and regulation could be preceding future legislation in America. Being GDPR compliant would, again, make a transition to increased regulation much easier. Therefore, while it may not be pressing that you take on GDPR now, it could be a worthwhile investment.

Summary of Requirements
Ultimately, the regulation is meant to increase privacy of individuals by limiting and regulating the way companies collect data. The goal is to increase protection of 8 different individual rights:

  • Right to information — ability to know what is being processed beforehand
  • Right to access — ability to access the data collected afterward
  • Right to rectification — ability to change incorrect data
  • Right to restrict processing — ability to restrict or block data being used without deleting information
  • Right to object — ability to refuse data processing
  • Right to be forgotten — ability to delete data
  • Right to data portability — ability to transfer personal data
  • Right to object to automated processing — ability to object and request manual review for decisions based on automated programs or algorithms

Companies abiding GDPR need to have methods in place to comply with these rights; the UK’s Information Commissioner’s Office has a guide with checklists of ways companies can ensure protection of these rights. Overall, businesses need to have increased transparency of their data processing and be more conservative in data collection (collect only what’s needed, delete information later, etc.). There will also be methods put in place to ensure companies are held accountable: Data Collection Impact Assessments, creating Personal Data Breach Registers, and implementing the collection of explicit consent. To ensure the transition takes hold and is understood, GDPR also requires training and awareness programs for employees, and the creation of a Data Protection Officer position in larger companies with significant data collection practices.

This is only a brief overview of GDPR, but covers the major points and effects of the regulation. For more information on GDPR, the full text can be found here. For more marketing and business tips, contact KSA&D for eager and professional service.