The General Data Protection Regulation (GDPR) enforces a new set of rules on how individuals’ data can be collected, stored, and used. It affects any business - big or small - holding personal data on EU citizens.
The definition of personal data becomes broader, and will include anything that can be directly or indirectly linked to an individual, such as:
- Customer name
- Car license plate number
- Health and genetic data
- Sexual orientation
- IP address
- Bank account information
- Religious belief
This new law is meant to boost individuals’ confidence and give them more control over their data.
According to a report by the European Commission, only 15 percent of EU citizens feel they have control over the information they provide online. About 55 percent are concerned about how their financial activity and spending habits are tracked via smartphones and credit cards.
The law gives individuals the right to withdraw their consent and request to have their data erased from a company's database. Other aspects, such as profiling, security and data breaches, and data processing arrangements, will change too once the GDPR comes into the effect.
Contrary to what you may have heard, these rules apply to everyone. It doesn't matter how big or small your company is. As long as you're dealing with EU citizens, you must comply with the law.
There are three main steps every business must implement, and each can be further broken down into smaller steps:
- Companies with more than 250 employees must designate a DPO (Data Protection Officer).
- Organizations will need to get consent each time they request customer data or use existing data for a different purpose.
This applies when consent is used as the legal ground. In other cases, they will need to inform the individual of the new data processing rules and give him a chance to object (in the cases where he can object).
- Security and data breaches must be reported within 72 hours.
As a small company, you may not need to hire a Data Protection Officer. However, you still have to ensure your business is GDPR compliant.
The confusion over small business and the GDPR comes from a misreading of Article 30. It states that, except for organizations with fewer than 250 employees, all companies must keep records of their processing activities, regardless of risk level, and make them available to the supervisory authority on request.
Everything else that falls under the GDPR applies to small companies to the same extent as it does to large organizations.