What GDPR Means for Businesses That Aren’t Facebook

The European Union's data protection regulation provides small and midsized businesses with a chance to rethink their data strategies.

At this point, a lot has been written about the implications for the European Union’s General Data Protection Regulation on large companies such as Facebook and Google, and the measures that they have taken to become compliant. But less has been said about the impact that GDPR will have on small and midsized businesses, and what they will have to do in order to remain in compliance.

With regards to the latter, time is running out, as GDPR officially takes effect on May 25, so any business that wishes to ensure that they’re in compliance with the new legislation best get up to speed quickly.

One of the hallmarks of GDPR is the fact that it applies to any business that handles or stores the personal information of any EU resident, no matter where the business itself is located, although exceptions do apply to any businesses with fewer than 250 employees.

Any company, then, might easily find itself in breach of GDPR without even knowing, and become subject to exceedingly steep fines of up to €20 million ($24 million) or 4 percent of annual global revenue, whichever is higher. Needless to say, no small business has the resources to survive this kind of financial outlay.

So, if you’re looking to avoid those kinds of gargantuan fines, you need to take steps to comply with the EU regulations. If you use or store customer data in any way, you must be GDPR compliant.

SIGN UP: Get more news from the BizTech newsletter in your inbox every two weeks!

How Your Small Business Can Comply with GDPR

Step one involves making sure that users are aware of whether you store their data, and for what purpose. Achieving this is as simple as updating your privacy policy and terms and conditions, using language that is clear and easy to understand. It is also important to give your users the ability to opt in or out of any data collection, and to ask for their explicit consent to process any sensitive personal information.

Another one of the signature tenets of GDPR, is the declaration of a person’s “right to be forgotten.” According to the EU, “the right to be forgotten entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data,” provided it does not go against the public interest to have that information removed from circulation.

Given that this is a such a large part of GDPR, businesses must have processes in place that allow users to request the deletion of their data, as well as the means to remove such information swiftly. That being said, many small businesses rely on third parties to provide customer management services, and the responsibility goes to those third parties to put in place procedures that allow for the easy deletion of customer data.

GDPR Can Be an Opportunity to Reconsider Data Strategies

If your business has more than 250 people, GDPR requires you to hire a data protection officer (DPO), whose duty is to oversee the collection of people’s personal data, and ensure that information is collected and secured in a responsible manner. But the role of a DPO is not merely that of an enforcer; they should also be working closely with other arms of the business in order to identify opportunities and create value.

Most of all, adherence to GDPR should not be seen as a limitation. Instead, it’s an opportunity for all businesses, no matter their size, to prove their transparency and commitment to data privacy.

It is also an excellent opportunity for companies to take a good hard look at their data policies, and to determine whether or not they actually need all of the data they’re collecting. This information will come in handy should the EU ever decide to ask you why you need the information you’re storing. And it also forces you to look at your business practices, and truly understand how you’re using that information, and how it informs your business.

GDPR should not be viewed as a punishment — unless, of course, you choose to circumvent it. Yes, it might take some time and a thorough review of your company’s data practices and those of its partners in order to become compliant, but in the long run, it is more important to have users trust that their data remains in safe hands than to complain about a little extra elbow grease.

Consumer trust is a valuable commodity, and one that is difficult to gain back once lost.

MicrovOne/Getty Images
May 02 2018