Share it with your network!
Help your colleagues and friends deepening their knowledge
The General Data Protection Regulation (GDPR) enforces a new set of rules on how individuals’ data can be collected, stored, and used. It affects any business - big or small - holding personal data on EU citizens.
The definition of personal data becomes broader, and will include anything that can be directly or indirectly linked to an individual, such as:
This new law is meant to boost individuals’ confidence and give them more control over their data.
According to a report by the European Commission, only 15 percent of EU citizens feel they have control over the information they provide online. About 55 percent are concerned about how their financial activity and spending habits are tracked via smartphones and credit cards.
The law gives individuals the right to withdraw their consent and request to have their data erased from a company's database. Other aspects, such as profiling, security and data breaches, and data processing arrangements, will change too once the GDPR comes into the effect.
Contrary to what you may have heard, these rules apply to everyone. It doesn't matter how big or small your company is. As long as you're dealing with EU citizens, you must comply with the law.
There are three main steps every business must implement, and each can be further broken down into smaller steps:
This applies when consent is used as the legal ground. In other cases, they will need to inform the individual of the new data processing rules and give him a chance to object (in the cases where he can object).
As a small company, you may not need to hire a Data Protection Officer. However, you still have to ensure your business is GDPR compliant.
The confusion over small business and the GDPR comes from a misreading of Article 30. It states that, except for organizations with fewer than 250 employees, all companies must keep records of their processing activities, regardless of risk level, and make them available to the supervisory authority on request.
Everything else that falls under the GDPR applies to small companies to the same extent as it does to large organizations.