The General Data Protection Regulation, or GDPR, is a law that was passed by the European Union that took effect in May of 2018. The law lays out requirements for those businesses that obtain and deal with personal information of citizens of the European Union. This may not seem relevant to companies that operate in California, but given the realities of today’s online world, it can and does affect businesses around the globe, small and large.
If your small business manages personal data, and any of it relates to EU citizens, review the GDPR small business compliance guide below to learn more about what exactly GDPR compliance entails.
What Is the GDPR?
The General Data Protection Regulation, better known as the GDPR, requires any business that obtains or processes personal data of even one EU citizen to handle this data in certain ways. Examples of requirements for small business compliance with regards to the GDPR include:
- Obtaining permission from an individual to collect and process his or her personal data
- Responding to requests from EU citizens who want to see their data file
- Deleting the personal data of EU citizens who properly make such a request
- Properly reporting any data breaches to the appropriate authorities
Deal with Your Internal Systems
The GDPR requires all businesses that fall under its jurisdiction to process and protect the personal data of EU citizens in accordance with its standards. There are specific requirements in place with regards to how a business can properly collect personal data and general requirements regarding its protection. Small business compliance with the GDPR should include analyzing your systems to make sure that:
- You obtain permission properly from EU citizens before you collect their data
- You process that data within the limits established by the GDPR
- You respond to allowed requests by EU citizens made under the GDPR
- You protect personal data in a reasonable manner
- You are prepared to notify the appropriate parties of any data breach
Every business that must comply with the GDPR must take these steps, which means you can either manually handle this every time something arises, or you can set these steps up ahead of time as much as possible. The latter will likely save you time and stress.
Deal with Your Internal Personnel Structure
There are some small business exemptions in place with regards to the GDPR, and one that could apply to some companies involves the naming of a DPO, or Data Processing Officer. That is not always required, but even if your business is exempt in that regard, you should still have your personnel in place to ensure everyone understands their responsibilities as they relate to GDPR compliance. Whether it’s one person or several, someone should be responsible for the following:
- Making sure you properly obtain permission to collect and use personal data
- Making sure that personal data is processed properly
- Making sure that personal data is as secure as possible
- Making sure requests made under the GDPR receive proper responses
- Making sure reports of data breaches are filed within 72 hours to the authorities
There are other responsibilities that could apply depending on your specific situation, but rather than deciding who is going to handle what every time a situation arises, it may be a good idea to designate someone to handle these duties ahead of time.
Deal with External Communication Preparations
As mentioned above, GDPR small business compliance requires external communications from time to time. In addition to preparing your systems to send out these communications as mentioned above, you’ll also need to craft these communications so that they include the correct information in accordance with the law. General examples of the types of information that need to be included in external communications include:
- Individual EU Citizens – You’ll need to, among other things, provide notice that you’re collecting personal data, why you’re collecting it and how long you’re going to store that data.
- Proper Authorities – In the event of a data breach, you’ll need to alert the proper authorities that a breach has occurred then describe the nature of that breach, the type of information that was vulnerable, the potential consequences of the breach and the steps you’re taking to minimize the damage from that breach.
Once again, you can either try to put these communications together as the need arises or prepare the foundations for them ahead of time so that you are tracking what’s going out and to whom.
Deal with a GDPR Small Business Compliance Lawyer
Small business compliance with the GDPR involves taking several managerial and preparatory steps, but it’s also an ongoing task that should never be overlooked if your business deals in personal data of EU citizens. Things can change, unexpected scenarios can play out and you need to make sure that you’re doing everything you can to comply with the GDPR at all times. The best way to do that is to work with a GDPR lawyer who understands the law, how it applies to small businesses and what to do to make sure that you both achieve and maintain compliance. If you’re ready to take this step, contact Kam Law Firm today to schedule a complimentary initial consultation.