If you own a small business that maintains a database of customer, employee, or business contact information, you may be subject to the General Data Protection Regulation (GDPR). This regulation applies to any business, regardless of its size or location, that processes personal data relating to individuals in the European Union (EU).
Processing personal data includes any operation that is performed on the data, such as storing, sharing, deleting, collecting, or modifying it. This means that even if your business is based in the United States and maintains personal data on paper, you may still be subject to GDPR rules if the data is considered Personally Identifiable Information (PII) that can be used to identify specific individuals.
The potential penalties for non-compliance with GDPR can be significant, so it is crucial to assume that your business is subject to GDPR unless it is not based in the EU and does not sell or plan to sell to data subjects in the EU. It is essential to understand and comply with the regulations to avoid any legal and financial repercussions for your small business.
What is GDPR?
The GDPR is a set of regulations implemented by the European Union to protect the privacy and personal data of its citizens. The GDPR went into effect on May 25, 2018, and applies to all organizations that handle the personal data of EU citizens, regardless of where the organization is located.
The GDPR replaces the previous data protection directive, which was implemented in 1995. The new regulations strengthen individual rights and impose stricter rules on companies that collect, process, and store personal data. Under the GDPR, individuals have the right to know what data is being collected about them, the right to have that data corrected or deleted, and the right to object to the use of their data for specific purposes.
The 8 basic rights of GDPR
The GDPR provides people with eight fundamental rights that they can exercise in relation to the processing of their personal data. These rights are:
- Right to be informed: Data subjects have the right to know what personal data is being processed, why it is being processed, and who is processing it.
- Right of access: Data subjects have the right to access their personal data that is being processed.
- Right to rectification: Data subjects have the right to request the correction of inaccurate or incomplete personal data.
- Right to erasure: Data subjects have the right to request the deletion or removal of their personal data under certain circumstances.
- Right to restrict processing: Data subjects have the right to request that their personal data is not processed under certain circumstances.
- Right to data portability: Data subjects have the right to receive their personal data in a structured, commonly used, and machine-readable format.
- Right to object: Data subjects have the right to object to the processing of their personal data in certain situations.
- Right not to be subject to automated decision-making: Data subjects have the right to object to automated decision-making or profiling that significantly affects them.
These rights give individuals greater control over their personal data and are a key aspect of GDPR’s approach to data protection. Organizations that process personal data must be aware of these rights and ensure they have the necessary processes and procedures in place to comply with them.
Preparing your organization for GDPR compliance
If you run a business or organization, it’s crucial to be aware of the GDPR and take steps to ensure your compliance. Here are some key actions you can take:
- Audit your data: Take stock of all the personal data your organization holds, where it came from, and who you share it with. Ensure you have policies and procedures in place to comply with the data protection principles.
- Update your privacy notice: Your privacy notice needs to contain additional information, such as your legal basis for processing data, data retention periods, and the right to complain to your state’s data protection authority.
- Review procedures supporting individuals’ rights: Individuals have the right to access their data, correct inaccuracies, have their information erased, prevent direct marketing, prevent automated decision-making and profiling, and allow data portability. Ensure your procedures can support these rights.
- Review procedures supporting subject access requests: You have just a month to comply with subject access requests, and you cannot charge for them. Consider providing online access to individuals.
- Document your legal basis for processing personal data: Identify the various types of data processing you carry out, and document the legal basis for carrying it out.
- Review consent mechanisms: Ensure that consent mechanisms meet GDPR standards, and review systems for recording consent.
- Protect children’s data: If your organization collects information about children under 13, you need parental/guardian consent to process their data lawfully.
- Establish procedures for data breaches: Set up processes to detect, report, and investigate data breaches, and notify the ICO of all breaches where individuals are likely to suffer damage.
- Conduct a privacy impact assessment: Some organizations and businesses (e.g. education, healthcare) may be required to conduct privacy impact assessments prior to rolling out new technology.
- Appoint a data protection officer: If your organization employs 250 or more people, is a public authority, or regularly and systematically monitors data subjects on a large scale, appoint a data protection officer.
By following these steps, you can ensure your compliance with GDPR and protect your business and your customers’ data.