• Mohammed Yusuf

GDPR: What Is It? And Why Should Small Businesses Care?

What are GDPR and GDPR compliance? General Data Protection Regulation (GDPR) is a new set of rules designed to give European Union (EU) citizens more control over their personal data. The regulation was put into place, to make Europe ‘fit for the digital age'. At its core, the purpose of the regulation is to simplify the regulatory environment for business so both citizens and businesses in the EU can benefit from the digital economy. Data breaches certainly happen. Data is stolen, lost or released into hands of people with malicious intent. The terms of the GDPR reform, personal data (name, address, photos, health information, race or ethnic data, etc.) gathered must be protected from misuse and exploitation, while also obtained legally. The inability to follow the guidelines of this reform, which includes rights of data owners, will lead to fines and penalties.

Who does it apply to? GDPR applies to companies in the EU, and companies offering goods and or services to businesses within the EU. Essentially every major corporation across the globe must adhere to this new reform. The reform applies to controllers and processors. A controller is a person, public authority, agency or other bodies which, alone or jointly with others, determines the purposes and means of processing personal data. A processor is a person, public authority, agency or other bodies, which does the processing of the personal data on behalf of the controller. Both parties are considered liable in the event of a data breach and are subject to heavy penalties and fines by the EU. The purpose of GDPR is to protect the private data of citizens across the EU, through stricter digital age guidelines.

What U.S SMB’s owners should know? GDPR also applies to U.S based small business with fewer than 250 employees. The compliance can be overwhelming for small-business owners so here is a list of things SMB’s should know:

  • A business or a third party data processor can be found liable for a breach of EU customer data in their possession

  • Should an individual request a business to stop processing their data, that data must be deleted

  • Data protection officers must be assigned to companies and organizations processing sensitive customer data on a large scale

  • National authorities must be notified within 72 hours of a detecting a breach

  • Data portability (moving data between services) is the right of any individual

  • Adding email contacts from business cards or social media without users consent is illegal

What can I do about GDPR?

  • Incorporate data privacy policies in your business plan

  • Look into the policies of 3rd party companies that you use

  • Utilized an MSP to help in making your company compliant

  • Continuously evaluate your Customer Data Protection Plan

  • Ensure the security of your data, and backups

  • Plan for a data breach

GDPR was created to protect EU citizen data from misuse, or stolen in a data breach. We don’t need to look for to see all the hacks, ransomware attacks and misuse of data that is happening across the world. Due to the lax security in the digital age, organizations have gotten away with mishandling of personal data and regulations are being put into place. Being GDPR compliant means your doing your part to protect and prevent yourself and others from being data breach victims.