Monday, November 20, 2017

5 Reasons Why Small Businesses Should Get Ready (ASAP) to the GDPR

The GDPR (General Data Protection Regulation) will apply from May 2018 and it will bring relevant changes to the data protection legal environment - not only in the European Union (EU), but the in the whole world. But what does it have to do with small businesses? Is the GDPR relevant to anyone else besides big data-collectors such as Facebook, Google etc?

And the answer is yes, it is very relevant to small businesses as well, and small business owners should be familiarized with it as soon as possible (ASAP), as we are only 5 months away from the applicability date. In the next paragraphs I will describe the 5 main reasons for that. 

[The posts on this blog have educational purposes, they do not substitute a consultation with a lawyer. To read the GDPR, click here. All articles mentioned in the text are from the GDPR.]

1- Material Scope:

To begin with, the GDPR is applied to (article 2):

"the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system"

There is no distinction between small, medium and large businesses, as long as data collection/processing happens. The same article 2 establishes exceptional cases where the GDPR will not be applicable, but in most of commercial cases of data processing, it will be applicable.

2- Geographical Scope:

The GDPR will be applied not only to businesses located in the EU, but also in any other part of the world, provided that they collect or process data from people from the EU.

Some business owners might think that because they are small and are not based within the EU limits, the GDPR is not applicable to them. This is not true. The specifications of the territorial scope are in article 3 of the GDPR, and all small business owners should be aware of them, as they are very broad.

3- New rules:

The GDPR, when compared to the previous data protection regime in the EU (Directive 95/46/EC), adds news rules and requirements to data collection and processing, which the small business owners should review together with their lawyer. Thus even if the business owner had had contact before with the Directive, the GDPR is different and needs extra attention.

For example: informed consent. We are now used to tick boxes around the internet, accepting all and any kinds of data collection requested. Consent has gained a new dimension in the GDPR, as we can see, for example, in article 7, which sets the conditions for consent.

Article 7.1 stipulates that: "Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data." For some small businesses, this type of "demonstration" might be easy to implement, for others not. There are many other examples of new requirements imposed by the GDPR, therefore the sooner the small business owner gets ready to it - the better.
4- Fines:

Fines are high. Article 83, for example, establishes that  "non-compliance with an order by the supervisory authority as referred to in Article 58(2) shall, in accordance with paragraph 2 of this Article, be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.

There a few types of fines foreseen by the GDPR, and small business certainly do not want to incur such costs. Therefore it is better to be prepared and aware well in advance.

5- Reputation:

The GDPR is a comprehensive regime about data protection and brings the focus on this subject to a whole new level. Companies are being collectively pushed to offer higher levels of data protection and this upgraded level will soon become the default - the minimum required by individuals using those products and services. 

Small businesses that want to avoid reputational losses - in addition to the financial losses that will result from non-compliance - should ASAP get ready to the GDPR.

*

That's all for today. Do you have comments about this post? Feel free to post them below.

Best,

Luiza Jarovsky
Lawyer and PhD Fellow Researching Data Privacy