On 25th May 2018, the European Union’s General Data Protection Regulation (GDPR) will come into effect. It’s a wide-ranging privacy law, and comes with maximum fines for non-compliance of up to €20 million or 4% of annual turnover.
The new legislation is primarily aimed at keeping big businesses in check, reigning in their ability to collect data on millions of people without their consent. It’s also about giving power back to consumers.
But if you’re a small business, don’t just assume you won’t be affected – even if you’re not based in the EU. While it’s true that European countries will be most impacted, the GDPR covers any company that collects personal information about citizens of EU countries.
So, even businesses and freelance consultants in North America could be affected if they collect certain kinds of information.
Say you live in Canada but provide life mentoring services to clients around the world, including customers in Ireland. If you were to record any of those conversations with your Irish clients, or even take notes about them, you may well be affected by the law.
What Does The GDPR Cover?
If you collect personal data on EU citizens, you need to take some extra steps when it comes to the way you manage that information. ‘Personal data’ can mean a lot of things:
- Name, address, date of birth
- Gender, sexual orientation, religion, ethnicity
- Email address
- IP address
- More here
Many small businesses might be collecting more of this data than they are aware of. All the information you receive from your customers that you write down or otherwise record – their bank details, information about their jobs or partners, their name and email – all count as personal data.
The regulation takes a softer approach to small businesses, so you’re less likely to be scrutinized. All the same, your business will be affected if:
- You regularly process personal data
- Fail to report a data breach where personal data was stolen or exploited within 72 hours of the breach
- You omit to provide information to customers about what you will do with their data
- Refuse to hand over data you hold on a customer when they request to see it (a ‘subject access request’)
- Refuse to delete data you hold on a client when asked to (AKA the ‘right to be forgotten’)
How you can get GDPR-ready
Here are some simple steps small businesses can take to become GDPR-ready:
- Review how you store client information – make sure it’s in a secure, password-protected environment like Dropbox, Google Drive, SharePoint, or even a folder on your computer
- Write up a policy document which you share with clients explaining what you do with their data. There are many GDPR-ready templates available online to download
- Share a similar document with your employees
- Delete any data you hold on customers that you don’t really need
Being GDPR compliant will involve a little work now, but will improve customer trust in the long run, and will also give you confidence that you’re not in violation of any laws.