Since last year’s implementation of GDPR, there has been a focus on large companies — like Google and Facebook — that have failed to comply with the regulation. Because of this, it can be difficult for large corporations to reach GDPR’s standards, but what about small businesses?
In this article, attorney and Rocket Lawyer UK head of legal, Adam Ford, will take a deeper dive into the challenges facing small businesses in the age of GDPR — including providing access to information and transferring data — and the legal penalties that can result. He will then examine ways to overcome these challenges and avoid the issues large companies have run into. As regulations like this continue to gain traction, it’s increasingly important that small businesses know how to comply.
By Adam Ford
It’s been a year since GDPR went into effect, and the implementation of the California Privacy Act is just around the corner. For the past year, there has been a focus on large companies with personal user data such as Google and Facebook, which have paid hefty fines for failing to comply with the regulation. Based on this, it’s obvious how difficult it is for large corporations to reach GDPR’s standards — but what about small businesses? SMB owners also face challenges, and legal penalties are the consequences of not overcoming them.
Let’s first review what GDPR is. The General Data Protection Regulation relates to the way businesses handle the personal data that they use from customers, such as names, ages and addresses. Last year, GDPR was introduced as a way to improve data management systems within businesses and provide more protection to customers in terms of their personal data. Businesses that are fined for not complying typically restrict access to information, incorrectly transfer data and/or breach the rights of individuals. Penalties of not following this regulation include fines of up to 4% of a company’s turnover for the most serious issues, and up to 2% of a company’s turnover for less serious issues. Below are a few steps small business owners should take to ensure they’re compliant with data privacy regulations like GDPR.
Review Existing Processes
The first step an SMB should take when attempting to comply with GDPR is reviewing existing data privacy practices and identifying what actions need to be implemented. A good quality data management system — whether it’s paper-based or electronic — is needed to ensure that you have full ability to locate all relevant information whenever necessary. Without a quality system, businesses may spend hours looking for information they should be able to find quickly. This is even more important when individuals exercise their right to ask the business to remove their personal data. When an individual does request this, all of their data should be located and confidentially destroyed — something that can’t be done efficiently without a good system in place.
Implement a Data Organization System
Data organizations systems, or mapping exercises, can help businesses understand their data processing activities and record them all. Data mapping is a process of organizing what data a company collects, including how and where it’s stored. A company’s data map can be as simple as a spreadsheet and should include details such as how sensitive the data is, how long the data has been in the system and what protective measures the company is taking to protect it. Keeping these records will not only help organizations stay GDPR-compliant when customers ask questions about their own data, but will also keep them secure in the case of potential liability situations.
Communicate with Customers and Employees
Small businesses should create information notices to let customers know how they process personal information. A simple way to do this is by using a service to conduct a GDPR audit, which identifies areas of compliance and non-compliance. The information found in the audit can be communicated to customers, which can help to ensure they value your full disclosure and ultimately trust your business. Small businesses also need to develop a way to notify customers when there has been a breach, or face the possibility of a fine. When it comes to employees, it’s a good practice to train staff and ensure that everyone is aware of the procedures that need to be followed, emphasizing the responsibility each employee has for breach notifications.
As data privacy regulations like GDPR continue to gain traction — such as the California Consumer Privacy Act, which will go into effect next year — it’s increasingly important that small businesses know how to comply. To avoid the issues large companies have run into, small businesses should review their existing data privacy practices, implement a data mapping exercise and openly communicate with customers and employees. Take these steps now to ensure you’re keeping customer data safe and secure, and you won’t face consequences when your business is affected.
Adam Ford is Head of Legal at Rocket Lawyer UK. He became a lawyer after initially studying Engineering and he is passionate about using technology to disrupt traditional legal practice in order to make the law accessible to all. Before joining Rocket Lawyer, Adam worked as an associate at a city law firm and as in-house counsel for a large UK technology company.