HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Small Businesses and GDPR Compliance

What will GDPR change for small businesses?

Small businesses have experienced some confusion since the announcement of the General Data Protection Regulation (GDPR). A large number of small business owners appear to have assumed that the GDPR is not applicable to them.

Unfortunately, they may well be in for quite a shock on the 25th of May 2018 when the new Regulation comes into force.

Although it is a fact that the GDPR’s Article 30 states that small businesses are not bound by it, this will not always be the case. Small business owners should be alert to the introduction of the GDPR, and inform themselves as to what significance it may have for their business, otherwise they could face sanctions they had not anticipated. Sanctions under the GDPR include large fines, which any business would prefer to avoid.


    GDPR Compliance Checklist
    for American Companies

    Immediate Access
    Privacy Policy

    What impact might the GDPR have on a small business?

    Under the terms of the GDPR, a small business appears to be defined as one which employs less than two hundred and fifty people. Any business employing more than 250 people must comply with the GDPR, which implies the hiring of of a Data Protection Officer (DPO).

    Businesses with fewer than 250 employees are obliged to respect the terms of the GDPR if the data processing they perform may affect the rights of individuals, if they regularly process personal data or if they process data which is categorised under Article 9 of the GDPR. Should any of these issues apply to a small business, it must make sure that it is in compliance with every aspect of the Regulation.

    What is referred to under article 9 of the GDPR?

    It is prohibited to process certain items of personal data under the rules of the GDPR if the individual concerned has not first given express permission that it may be used for a precise purpose. The items concerned include details of a person’s religion, political opinions and sexuality. In a number of member states of the European Union it is prohibited to process data of this type, even in circumstances where the data subject has already given his or her consent. A small business that deals with the processing of this type of data should pay careful attention to Article 9.

    Issues which impact small businesses in particular

    Some issues are, in all probability, more applicable to small businesses than to larger firms. For example, numerous small business owners are increasingly dependent on networking to gain contacts that are important for trade. With such considerations, it is vital to take into account that small business owners will no longer be permitted to simply copy email addresses taken from business cards to their electronic mailing lists. From May 2018, they will have to obtain specific consent from the person who gave them the card in order to do so. The same principle is applicable to the use of emails for contacts from LinkedIn or other recruitment networking sites. All businesses should be aware that the simple act of giving of a business card does not, for the purposes of GDPR, imply that the giver has consented to their details being added to a contact list.

    Due to a lack of resources, numerous small businesses do not carry out the processing of their own data. Businesses should bear in mind that the 3rd parties they use, as far as compliance with the GDPR is concerned, are also classified as data processors. Small businesses must be sure that contracts with those third party processors cover all of the necessary requirements in order to be GDPR compliant.

    Many small businesses use laptops to access and process the data they handle. It should be noted that the use of simple passwords to protect personal data on a laptop is insufficient for GDPR compliance. To guarantee the correct level of security, such data should be encrypted.

    The GDPR’s Worldwide impact

    The issues involved do not only apply to small businesses that are based within the European Union. The GDPR requirements are applicable to personal data belonging to any person who resides in an EU member state. That is to say that small businesses which process personal data belonging to European citizens may be bound by the new Regulation, even if those businesses are based outside of the European Union. Given that much trade, even in the context of small businesses, is conducted online, it is clear that the GDPR will have a worldwide impact.

    The things that small business owners must do

    Obviously, the GDPR will apply to a large number of small businesses around the globe. What then should small business owners do to guarantee that their business will be compliant with the new Regulation?

    Become familiar with the requirements of the GPDR

    Small business owners should, as an initial step, inform themselves as to the details of the General Data Protection Regulation. They must be aware of what compliance is to be able to evaluate whether or not their current processes and procedures are sufficiently rigorous to satisfy GDPR requirements.

    Audit all of the data that is currently being stored

    Any organisation that wishes to comply with the new Regulation must be aware of what data it holds, where it holds said data, for what reason it is being held and the identity of the person responsible for the management of the data. Organisations concerned also need to verify that appropriate consent has been obtained and assure themselves that the data is still being processed for a valid purpose. The latter may be particularly relevant to small businesses given that storing less data means it is much easier to manage and there is less probability of problems arising. At the same time as it being common sense for companies to delete data when they no longer have any useful purpose to retain it, it is also a requirement under the GDPR for them to do so.

    Verify each process and procedure

    As previously mentioned, businesses should be aware of what data they hold, where they are holding it and how it is being stored; together with identifying the designated person who manages the data. For this reason small businesses need to put processes and procedures in place to guarantee that they are compliant with these new requirements. Additionally, they must document in detail the processes and procedures used in order to be able to prove their compliance should authorities later ask them to do so.

    Verify any and all consent processes

    As soon as the GDPR has been introduced, businesses will be under the obligation to prove that they have received the appropriate consent to process personal data, other than where certain legal exceptions apply. Consent must be obtained for every respective reason for data processing and that consent must be unequivocal. The data subject must be made aware of what they are giving their consent to. Their agreement has to be given by way of a positive act, i.e. it is no longer acceptable for any organisation to rely on pre-checked tick boxes as evidence of consent.

    Identify risky data and risky processes

    Some items of personal data which fall under the scope of Article 9 of the Regulation, carry a particularly high risk. Small businesses may also recognise that specific aspects of the data processing that they engage in could be risky. Each business will have to mitigate against such risks by drafting comprehensive plans and procedures to respect. If it seems that mitigation of the risk is impossible, a business should request the consent of the relevant Data Processing Authority (DPA) prior to processing the data.

    Prepare a response to a data breach

    While any prudent small businesses will do everything it can to guarantee the security of the data it processes, it must also have a contingency plan in place to deal with worst case scenarios. The GDPR stipulates that any data breach must be reported to the authorities within a maximum of 72 hours. All small businesses need to be capable of ensuring that this happens.

    Think about recruiting a data protection specialist

    Despite the fact that the GDPR makes no express stipulation that all small businesses must recruit their own data protection officer (DPO), it is still good practice for every business to do so. Moreover, in circumstances where a business is processing particularly sensitive information, as is described under Article 9 of the GDPR, recruitment of a DPO may be a legal obligation. If hiring a DPO is impossible, the business may wish to consider engaging a third party consultant, or alternatively to provide the requisite GDPR training course for an existing employee of the firm. As previously mentioned, when 3rd party specialists are involved, it is important that the business satisfies itself that the service provider is also GDPR compliant. The DPO is required to possess comprehensive knowledge of the GDPR, as well as the ability to develop an adequate data management process.

    Educate Employees

    For a business to be compliant with the GDPR, it is essential that its employees are aware of the Regulation’s requirements. This explains why it is a good idea for every small business owner to satisfy themselves that all of their employees are fully aware of the implications of the GDPR and what their individual responsibilities are.

    It is obvious why so many small businesses are under the impression that the GDPR will not concern them. They have the impression that the Regulation is intended for much bigger businesses and organisations; instantly recognisable names that have previously experienced problems due to data breaches. Unfortunately, this is not in fact the case. Any business, irrespective of size, which regularly processes personal data belonging to people who live in a European Union member state, or has a role in the processing of sensitive data, needs to be GDPR compliant.

    This is somewhat logical; the intention behind the GDPR is to provide the individual with greater control over the manner in which his or her data is used, and to provide some consistency of procedures in data processing. Small businesses, therefore, need to be treated in the same manner as their larger counterparts, if the rules for inclusion under GDPR are to be applicable.