The General Data Protection Regulations (GDPR) came into force in the EU on May 25th 2018. GDPR has been cited as the biggest change to EU personal data laws since 1995. Prior to GDPR, people in the EU had relatively few rights over their data, and the existing regulations were deemed inadequate to deal with advances in technology. The regulations were designed to give individuals in the EU control over their data by changing how the data can be collected, used, and stored by those who handle the information. Although GDPR is an EU law, any organisation which handles data which has been collected within the EU must comply with its rules and guidelines. Their compliance is required regardless of the location of their headquarters.
GDPR and Companies with Less than 250 Employees
Not every organisation which collects and handles data from within the EU is covered by GDPR. Article 30 of the GDPR states that most small businesses-that is, one with fewer than 250 employees-are not covered by GDPR. This cut-off point applies for organisations within and outside of the EU. However, some important exceptions exist. It is critical that all small business owners thoroughly assess their GDPR status. Ignorance of the protocols is not deemed an acceptable excuse for a violation. The cost of hiring a third party to consult on GDPR compliance is likely to pale in comparison to the fine levied for a violation; this amounts to either a fine of €20 million (around $23 million), or 4% of the company’s annual turnover-whichever is higher. These penalties will be charged against an organisation of any size, within or outside of the EU.
As mentioned above, there are some circumstances in which organisation with less than 250 employees are required to comply with GDPR. According to GDPR, if an organisation’s data processing could affect the rights and freedoms of individuals, if they process personal data on a regular basis, or if they collect data which is covered by Article 9 of the GDPR, they are bound by the same rules and regulations that organisations with more than 250 employees are. Article 9 of GDPR covers sensitive data such as that relating to religious beliefs, sexual orientation, and political beliefs. Under GDPR, it is prohibited to process data covered by Article 9, unless a data subject gives their consent to use the data for a specific purpose. However, even this is not legal in some EU member states, who prohibit any organisation from using this data even if the subject gave their consent. Small businesses will need to thoroughly audit their data processing practices and the types of data they collect and store to ensure that they are not covered by GDPR.
Specific Issues for Small Businesses
Networking is essential to the growth of small businesses and the development of their customer base. Due to the new personal data protection rules introduced by GDPR, small businesses may need to adapt their networking practices. Small business owners will no longer legally be able to simply add emails taken from business cards to their email contact lists unless they have consent to do so from the individual who gave them the card. The same rules apply for adding contacts on LinkedIn or other social networking platforms. It is not enough for small organisations to assume that being given an email address or business card is consent to be added to their networks; explicit consent must be given, otherwise the small business is in violation of GDPR.
Large organisations often have the financial and technical resources to ensure that they are fully compliant with all of the strict stipulation in GDPR. Due to financial constrains, small businesses may struggle to ensure their practices are up to standard. One area of business which may be particularly resource-intensive to update is the safeguarding of data. For example, passwords are not considered a sufficient security measure on laptops or mobile phones which store data. Although these measures may be costly, small businesses which are covered by GDPR are expected to encrypt the devices to ensure that the data is protected. Despite requiring adequate security measures to be enforced, GDPR does not actually mention any specific way of doing so in its text. Therefore, there is some flexibility for small businesses to assess their practices and find a cost-effective way of protecting their data that suits their particular organisation.
It is common practice for small businesses to outsource the processing of their data to third parties. Under GDPR, these third parties are considered to be data processors, and therefore are required to comply with GDPR. The data controller, or small business, is responsible for the conduct of their processors. Therefore, while drawing up their business contracts, small businesses must ensure that any organisation they hire fully understands the strict standards of practice outlined by GDPR. If the third party is found to be in violation of GDPR, it is the small business who will be held responsible.
Small Businesses and Data Protection Officers
Large organisations are legally required by GDPR to appoint a data protection officer (DPO) who will oversee the security of any data that the organisation handles. Although there is no requirement for most small businesses to hire a DPO, they should consider doing so. If the small business is processing sensitive information, as described in Article 9 of the GDPR, they may be required to hire a DPO.
If it is outside of the financial means of a small business to hire a DPO, a reasonable alternative may include using a third party expert or providing suitable training to someone who already works within the business. The DPO needs to have in-depth knowledge of the GDPR and knowledge of how to develop a data management process. The appointment of a DPO will help small organisation in navigating the complexities of GDPR. Although costly in the short term, it may help them avoid the costly penalties associated with breaching GDPR.
All employees in an organisation which handles personal data are required to be aware of GDPR and understand their responsibilities under it. Therefore, in addition to hiring a data protection expert, training courses should be run for employees to ensure they understand GDPR and are aware of the implications to an organisation if they violate the regulations.