Trace Id is missing

GDPR compliance and small business

You’ve probably heard of the General Data Protection Regulation, or GDPR. But does your business meet the compliance requirements?

 

If you think it doesn’t, you’re in good company.

 

GDPR became law on 25 May 2018. But, over nine months later, only 29 percent of EU-based businesses are fully compliant. And this despite the majority being aware of the law and its implications (and yes, those implications include the risk of fines).

 

More importantly, while you might think GDPR doesn’t apply to you if you’re US-based, this isn’t necessarily the case. If people located in the EU can access your website, GDPR applies.

 

With this in mind, here’s a look at GDPR’s most important principles and what they mean for your small business. We’ll also walk you through the steps you need to take to get on the road to GDPR compliance.

What is GDPR and what does it mean for small businesses?

GDPR standardizes data protection laws across the EU and attempts to bring them in line with current technology. More importantly, it aims to:

 

  • Protect individuals’ privacy
 
  • Give them more control over their personal data
 
  • Prevent businesses from gathering personal data without permission or another lawful reason
 

 

If you’re a small business — well, any size business, for that matter — GDPR means you’ve got a whole new set of legal duties to comply with.

 

For starters, the law gives individuals the right to ask businesses to:

 

  • Confirm what personal data they hold about them
 
  • Explain where that data is being stored and for what purposes
 
  • Provide them with an electronic copy of the data, free of charge
 
  • Stop sharing the data, make sure third parties stop using it and delete the data. This is called the right to be forgotten

 

More importantly, GDPR creates ‘privacy by design’. This means that:

 

  • Businesses have to collect the least amount of personal data necessary for their purpose. Have a contact form on your website? If a person’s name and email address are enough to contact them, your form shouldn’t collect information about their age, body type or gender.
 
  • Unless you have other lawful grounds to process data, you need the person’s express and specific consent. You can’t add a person to your mailing list just because they gave you their business card. They have to specifically agree to be on the mailing list.

Which business does GDPR apply to?

GDPR applies whenever a business collects or tracks the personal data of an individual who is physically located in the EU.

The law defines personal data as “any information relating to an identified or identifiable natural person.” In other words, data is personal data — and, so, protected by GDPR — if it can be used to reveal an individual’s identity. This includes:

  • Personal information such as name, age, date of birth, country of birth and country of residence
  • Photos or videos
  • Documents and forms
  • An IP address or specific website settings

More to the point, the law covers both online and offline collection and tracking. So, GDPR applies equally whether you use CCTV to monitor your office or Google Analytics to gather data on who visits your website.

The European Data Protection Board has stressed that the person’s nationality and status are irrelevant. If the person was physically present in the EU when their personal data was collected or tracked, GDPR applies. It doesn’t matter if the person is an EU citizen, an EU resident or simply a tourist.

More importantly, a business doesn’t have to be physically present in the EU for GDPR to apply. If people can access your website from the EU, that’s enough. You’ll have to comply with GDPR’s requirements.

Falling foul of GDPR can result in hefty penalties. Your business could get fined the greater of 4% of your annual turnover or €20 million (about $23 million) if you’re in breach.

Schedule a Microsoft 365 live demo

See Microsoft 365 in action by requesting a demo from one of our experts who can answer all your questions.
Fill out the form

Are small businesses and sole traders exempt from GDPR?

No, they aren’t. GDPR applies whenever a business collects personal data from a person located in the EU. This holds true whether you’re a one-person operation or have offices on six continents.

That said, you don’t have to keep a written record of your data processing activities if you have fewer than 250 employees, unless:

  • Your data processing activities could affect individuals’ rights and freedoms
  • You process data covered by GDPR article 9. This is data that reveals an individual’s:
    • Race or ethnicity
    • Political, religious or philosophical beliefs
    • Trade union membership
    • Genetic or biometric data, or data about the person’s health or sexuality
  • You process personal data covered by article 10, that is data relating to criminal offences and convictions
  • You process personal data on a regular basis

Many small businesses and sole traders won’t fall under the first three exemptions.

But what about the fourth one? The Belgian Privacy Commission has suggested not all data processing is “regular”, even though you might do it daily. According to this interpretation, you needn’t keep records of personal data you use for placing orders or communicating with clients, for instance. But a position paper by the Article 29 Working Party — the European Data Protection Board’s predecessor — seems to suggest you should interpret “regular” literally. And the European Data Protection Board has agreed. Because the position is so unclear, it’s a good idea to keep records, even if you think you’re exempt. Better safe than sorry.

Does GDPR apply to US companies? How does it affect them?

Yes. GDPR applies to US companies if they:

  • Do business in the EU
  • Don’t do business in the EU, but collect or track personal data belonging to people who are physically located in the EU (this includes people who are travelling in the EU but don’t normally live there). You may be doing this without even realizing it. For example, if your website’s cookies could be used to identify an individual, they count as personal data under GDPR

If you want to keep doing business in the EU, you have to comply with GDPR. Or, you risk getting slapped with a heavy fine. If you don’t do business in the EU, you have two options:

  • Comply with GDPR anyway
  • Restrict access to your website, so it can’t collect personal data from people located in the EU

When GDPR first came into force, many US websites cut off EU users so as not to fall foul of GDPR. For instance, over 1,000 US news sites were inaccessible in the EU as of August 2018. Some publishers have decided to pull out of the EU permanently. Lee Enterprises spokesman Charles Arms commented: “Internet traffic on our local news sites originating from the EU and EEA is de minimis, and we believe blocking that traffic is in the best interest of our local media clients.” That said, many US websites have now managed to get back online in the EU without any issues. And your small business website can be available in the EU without getting into trouble, too. Which brings us to the next point.

How do I comply with GDPR as a small business?

Putting your small business on the road to GDPR compliance isn’t as difficult as you might think. Here’s a GDPR compliance checklist to start you off.

1. What personal data do you collect?

You should know what personal information you collect and whether any of it is sensitive, that is whether it falls under the categories in GDPR articles 9 and 10. You should also ask yourself:

  • Where is the information coming from?
  • Why are you collecting it?
  • What are you doing with it?

You’ll need to be able to answer these questions if asked.

2. Do you have consent?

Unless you have lawful grounds to use personal data, individuals must give their consent. This must be:

  • Freely given
  • Specific
  • Informed
  • Unambiguous

You have to keep a written record of consent. You also have to make withdrawing consent quick and easy. GDPR-compliant Customer Relationship Management software can help here. In particular, it can:

  • Keep a written record of people’s names and the personal data you hold on them
  • Record their consent, specifying what they’ve consented that you use their data for (for instance, to receive your monthly newsletter)
  • Give people an easy way to withdraw their consent should they change their mind (for instance through one-click “unsubscribe” scripts)

3. Is the data safe?

Your business is responsible for the personal data you collect. And you risk getting fined if it falls in the wrong hands. So:

  • Use encryption software when storing or transmitting personal data online
  • Secure your network. Careless employees are the leading cause of data breaches, so a solid IT policy is a must. You should also invest in security software, including a firewall

4. What if there’s a serious breach?

You have to report serious breaches to the regulator within 72 hours, or risk being fined. Make sure you have reporting procedures in place. And, more importantly, train your employees to:

  • Be aware
  • Understand what a serious breach is
  • Recognize red flags

What has been GDPR’s impact on small businesses up to now?

There are no two ways about it. GDPR compliance is time-consuming and expensive. In the run-up to 25 May 2018, UK small businesses spent about 600 hours each preparing for GDPR. And that’s not counting the financial cost. Globally, small and medium-sized businesses have spent $1.3 million on GDPR compliance. Equally, non-compliance can have an eye-watering effect on your bottom line. In the first-ever GDPR case, a German social network got fined €20,000 (approximately $22,600) for failure to keep users’ personal data safe after a hacker stole 330,000 email addresses and passwords. But while you may be tempted to view it as a burden, GDPR compliance has also had a positive impact on small businesses. And here’s why. Consumers have never taken their privacy more seriously. And, they expect businesses they share their information with to feel the same way. In a recent study, 69% of US consumers even said they’d like to see a law similar to GDPR enacted in the US. More to the point, a study by the CMO Council found that members who were prepared for GDPR have seen better engagement, more loyalty and increased trust from consumers. Clearly, GDPR is more than a bunch of rules you have to follow so as not to get fined. No one likes having their private information taken without their consent. Or kept somewhere criminals could get their hands on it. So, by taking steps to achieve GDPR compliance, you can position your small business as one that truly cares about its customers’ private data. And this could give you the edge over your competition.

Marin is part of the marketing team at Microsoft. He's excited to see how entrepreneurs can better start, manage and grow their businesses.

Get started with Microsoft 365

It’s the Office you know, plus the tools to help you work better together, so you can get more done—anytime, anywhere.
Buy Now

Related content

Manage my business

Key performance indicators (KPIs): What they are and how to use them

Read more
Manage my business

The benefits of business analytics

Read more
Manage my business

Q&A: How Molly Moon’s uses data analytics to give back

Read more

Business Insights and Ideas does not constitute professional tax or financial advice. You should contact your own tax or financial professional to discuss your situation.

Follow Microsoft 365