Photo by Ketut Subiyanto from Pexels.
“My business is a U.S. company — I don’t have to figure out this GDPR stuff, right?” Right. No worries if you’re a U.S. company, and you only interact with U.S. businesses and consumers. Simply implement an intake form to detect where your customers are located and restrict access to your website, so that it can’t collect personal data from people located in the EU. But be wary of customers that might move to the EU after connecting with your business — you don’t want to accidentally send them your newsletter or marketing emails if you didn’t acquire GDPR-approved consent.
Better yet, comply with the GDPR anyway.
The purpose of the GDPR (read: the General Data Protection Regulation) is to promote the privacy and data protection of individuals within the EU. You can read more about it here.
If you want to do business in the EU — or with individuals in the EU — you’ll have to comply with the GDPR. Noncompliance means significant fines or even jail-time for company executives, depending on the severity of the breach.
When Does the GDPR Apply to a Small Business?
When it comes to the GDPR, size doesn’t matter so much. If people located in the EU can access your website, the GDPR applies. It does not matter whether you are a one-woman-show or have locations spread across the globe.
However, your company’s requirements under the GDPR will be affected by your size and activities.
In the U.S., a small business is typically defined as an organization having fewer than 500 employees. Under the GDPR, small businesses with 250 or more employees must keep a written record of its data processing activities. However, any business — no matter the size — must comply with the GDPR’s written record requirements if that business engages in any of the following activities:
– The business’s data processing activities could affect individuals’ rights and freedoms;
– The business processes data that reveals an individual’s race or ethnicity; political, religious or philosophical beliefs; trade union membership; genetic or biometric data; or data about the person’s health or sexuality;
– The business processes personal data relating to criminal offenses and convictions; or
– The business processes personal data on a regular basis.
Unfortunately, that last point is left open to interpretation and serves as a catch-all for regulators. If broadly construed, it would include those businesses that regularly process data for its websites or CRM systems. Because the position is so unclear, it’s a good idea to keep records, even if you think your business might be exempt.
Whether your business is required to appoint a Data Protection Officer (DPO) is not based on the size of the business, but rather, the core processing activities that are defined as essential to achieving the company’s goals. A DPO is an individual who is an expert on data protection law and procedures. This is also the individual responsible for reporting in the event of a data breach.
How Does a Small Business Comply with the GDPR?
Complying with the GDPR is about learning the language and checking off items on a checklist. It’s easy to get started.
1. Learn the Rights of Individuals in the EU (aka Data Subjects).
For starters, the law gives individuals certain rights:
The Right to be Forgotten
Data Subjects (again: individuals physically within the EU) have the right to request that a business delete their information. “Hey, lose my number, Google!” This applies to any business, whether it’s in the EU or not. And, it not only includes information the Data Subject provided, but any other information collected, e.g., analytics, notes, etc.
The Right to Access
The Gimme Gimme Rule, aka Right to Access, means that Data Subjects are entitled to request that a company share with them what information has been stored about them. And that this transaction occurs without charge.
Privacy by Design
Privacy by Design is a term-of-art meaning, “to build from the bottom up.” Rather than adding privacy to existing models, the models should be re/created with privacy and data protection in mind. This also means collecting the minimum data required for conducting business operations.
Data Portability
Whatever information a business decides to collect about a Data Subject is subject to transfer to another business if the Data Subject so requests. The idea behind this element is to allow for the free movement of consumers from company-to-company. The information that is ported must be shared in a common, machine-readable format.
Strengthened Consent
Get ready to implement more check-the-boxes into your systems, because strengthened consent requires that permission be obtained on a per-use case of a customer’s data. If your company asks for an email address and consent in order to send purchasing information, it must again ask for consent before using that email for marketing purposes. Further, consent can’t be messy, unintelligible, hidden, or tricky. All consent requests are required to be written in a way that the company’s intended consumers can understand it.
2. Review and Revise your Privacy Policies, Consent and Collection Procedures, and Record-Keeping Systems.
In keeping with the rights that Data Subjects have, your company’s practices may need to change. Any policies in place should describe your data processing activities in clear, plain language that the relevant Data Subjects can understand. When stating what data you’re collecting, be sure to note why you’re collecting it and ensure that you have a lawful basis or consent to do so. Businesses under the GDPR have an obligation to collect the least amount of personal data necessary for its purpose.
This means that:
– The contact forms on your websites should not collect data non-essential for contacting people (stick with names and email addresses).
– A business card or LinkedIn connection is not consent to add that person to your mailing list — you need explicit consent from them agreeing to receive your emails.
– Don’t ask for someone’s age, gender or body type unless you state why you’re specifically asking for that information and also explaining how you’ll be using that information.
3. Secure that Data.
If you’re collecting data, you should be protecting it. Be sure that the relevant leadership in your company — whoever is responsible for company security — knows the proper language and tools in effecting company privacy policies and security solutions.
“Many business leaders are confused about basic data security concepts, like encryption. When we asked whether they used end-to-end encrypted email, about two-thirds said yes. But when we asked these people to identify the service, only about 9% named one. ‘VPN,’ ‘Mailchimp,’ and ‘Dropbox’ were among the responses. Seven Irish respondents said their end-to-end cloud storage provider was ‘Reddit.’”[1]
For a list of best practices for company security, check out this article. In short:
– Train your employees on how to detect and avoid data breach incidents.
– Secure your network, invest in security software and a VPN, and enable encryption software for communications and storage.
Keep in mind that your security protocols will be as unique as your business itself — don’t go copying another company’s privacy policies and data security incident plan. Privacy counsel at Rockridge Venture Law is here to work with your organization to define your operations and make a GDPR-compliant plan that works with your business.
About RVL®
Rockridge Venture Law® is a certified B Corp law firm embracing the mantra of technology lawyers for good. Rockridge® services include corporate, intellectual property, litigation, M&A, privacy, technology, and venture capital law. Rockridge has been recognized as a B Corp Best for the World and Real Leaders Top 150 Impact Company, and has been featured by Conscious Company Magazine, Forbes, and other top media focused on industry leaders in impact and innovation.
The Rockridge team has worked with Grammy winners, Nobel Prize winners, and world champion athletes to create and monetize distinctive intellectual property assets. Rockridge clients include founders, investors, and multinationals scaling disruptive technologies and iconic brands. Rockridge is headquartered in Tennessee, with satellite offices in Durham, New Haven, and New York.
We’re Building Today’s Company for Tomorrow’s Economy® by leading clients through the dizzying array of information controls, by helping them to develop and monetize proprietary assets, and by enabling their impactful products, programs, and principles.
See case studies on how we’ve helped transformative companies at Rockridge Case Studies.