IT Freedom Blog

GDPR & Your Small Business

by Jessica Baker on

Have you received an influx of emails recently from companies “updating their privacy policies” or been prompted to accept cookie tracking policies on websites you’ve been to a million times?

Well, the reason for that is the new GDPR regulations that have been put into effect in the European Union. But, as you have noticed, these regulations are making their way into the lives of US consumers and small business owners.

GDPR and Your Small Business

These regulations have officially been in place for almost a month - since May 25th to be exact. So what exactly is GDPR?

First, GDPR stands for General Data Protection Regulation. These regulations were proposed in 2012 and work to create consistent data privacy laws throughout the EU. But it doesn’t just affect those in the EU as I mentioned above. It has a far wider reach. The wording in the regulations says that they apply to any and all companies processing the data of data subjects residing in the union, even if your company isn’t in the union. In short, if you process the information of anyone that lives in the EU, or provide them with goods or services of any kind you’re responsible for making sure your business is GDPR complaint.

This includes businesses like:

  • Online retailers
  • Tech and data firms
  • Any business that sends customers email newsletters
  • B2B providers

What should we be doing to stay compliant?

To start, I want to say that this is just a quick outline of some of the top things you need to plan for to be compliant. We are in no way GDPR experts, and if you know for a fact you’re storing information subject to GDPR regulations we definitely recommend talking to an expert. But overall here are some things you should be aware of.

Keep data subjects informed

One of the biggest pieces of GDPR is that data subjects have a right to know absolutely everything about the information you’re keeping on them. They have a right to know:

  • What information you’re storing
  • What you’re doing with the information
  • Where the information is stored
  • And they have the right to object to certain data uses

Data subjects also not have an explicit “right to be forgotten”. This means that you need to have a simple and efficient way to delete the data you have on them in its entirety if they request you do so.

Email Double Opt-In & Privacy Policy

GDPR makes it necessary for consent to be clear, explicit and extremely specific. Data subjects need to know what they are signing up for and all the information we talked about above. Up front. Hence all of the “updated privacy policy” emails and being asked to consent to cookie tracking on major websites. This also applies to email communications. So make sure if you’re sending emails to anyone in the EU (or really anyone worldwide) you’ve set up a “double opt-in” process. So not only do people have to fill out the form on your website, they also have to click a secondary button, usually through email, that gives consent to receive email communications from you. Check out this article from MailChimp about double opt-in emails.

Take a look at your security measures

Not only is it important to let data subjects know how their information is being used, it’s even more important to do everything in your power to keep it safe. This includes things like making sure you have the proper network protections in place, Antivirus installed, monitored, and updated, devices are being updated. This also includes training your employees to identify potential risks and to follow best practices to keep data safe. Symantec has some good information on training your employees on information security awareness and the FTC has good guides for businesses on protecting personal information.

Have a plan for a data breach

If you’re storing EU data subject information the GDPR regulations state that you must report the breach within 72 hours of becoming aware of it. Even if you’re convinced you’re taking all the necessary precautions in regards to your security, you need to have a plan in place. If you’re not sure what a plan should look like, or who to report to, take a look at the FTC’s data breach response guide for businesses.

What happens if we aren’t compliant?

To put it simply, fines. GDPR allows regulators to impose fines on non-compliant companies. These fines vary but can be between 2-4% of the companies worldwide annual revenue, and can be up to 20 million euros (or around $23 million in the US as of June 20, 2018). As a small business this could be disastrous for your firm.

Now we know this is a lot, and we also know that you might no be completely sure if you need to be GDPR compliant. But, like we said before, if you don’t know, or even think you should be compliant, talk to an expert!

And if you’re looking for someone to help get your business security where it should be, give us a call or fill out the form on our contact page!

We’ll answer your tough technology questions.

Connect your team of trusted IT Support Professionals in Austin.
Contact Us