Why Small Businesses Must Comply with the GDPR
If you're a small business owner or run an ecommerce store, you must comply with the EU's General Data Protection Regulation (GDPR).
The GDPR gives EU citizens control over:
- Who can access their personal information
- What happens to their personal data
- How their personal details are stored and shared
The GDPR imposes strict compliance requirements on business owners - even small companies with less than 250 employees.
The whole point of the regulation is to give private individuals more control over their own privacy. It's based on consent - you now need clear, informed consent to handle, store, share, or process someone's personal data.
So, what do you need to know about the GDPR, and how does it affect you as a small business owner? Let's find out.
- 1. What is the General Data Protection Regulation?
- 2. Who Must Comply with the GDPR?
- 3. What is Personal Data?
- 4. Does the GDPR Apply to Data Collected Offline?
- 4.1. Social Media
- 5. A Guide to Small Business Compliance with the GDPR
- 5.1. Complying with Individual Rights
- 5.2. Right to Information
- 5.3. Right to Access
- 5.4. Right to Rectification
- 5.5. Right to Deletion
- 5.6. Right to Restriction
- 5.7. Right to Portability
- 5.8. Right to Object
- 5.9. Right to Avoid Automated Decision-Making
- 6. Protecting Data
- 6.1. Social Media Accounts
- 6.2. Inside the Store
- 6.3. Online
- 6.4. Data Breach Notifications
- 7. Penalties for Non-Compliance with the GDPR
- 8. Conclusion
What is the General Data Protection Regulation?
The General Data Protection Regulation is, essentially, one of the most comprehensive data privacy laws in the world. This is actually great for two reasons:
- There's lots of official guidance now on how to comply with it
- If you comply with the GDPR, it's likely you're also complying with other international privacy laws
7 principles underpin the GDPR. They're set out in Article 5.
We don't need to go over these in huge detail, but it's good to know what these principles are because they help you make sense of your compliance obligations.
- Lawful Basis: You can only process personal data if there's a legitimate, necessary reason for doing so e.g. you're processing payment details to complete a contract of sale at the register or online.
- Collection Purposes: Data must be collected for a clear purpose and this should be communicated to the customer e.g. you need their home address to deliver goods.
- Limitation: You shouldn't capture more data than you need to complete a transaction or request e.g. you don't need someone's home address to send an email newsletter.
- Accuracy: There's a duty to maintain accurate, up-to-date information where possible e.g. you shouldn't have someone's old phone number from 10 years ago.
- Storage: You should only store personal data for as long as you need to identify someone, and this data should be safeguarded at all times.
- Confidentiality: There's an obligation to keep all personal data secure, however it's filed, collected, stored, or processed.
- Accountability: You're accountable for what happens to the personal data under your control.
You might still be wondering why even small or micro-sized businesses need to comply with all these obligations. However, companies with under 250 employees are exempt from certain obligations.
You can read more about this exemption principle in Recital 13 of the GDPR.
Who Must Comply with the GDPR?
It doesn't matter where in the world you're based. You're expected to comply with the GDPR if:
- People in the EU visit your website
- You sell goods or services to EU citizens i.e. you ship within the EU
- You use analytics to monitor behavior from EU citizens who visit your site/ecommerce store
It's worth noting that the GDPR also covers tourists in the EU, too. Here are two brief examples to make this all clearer.
- You're based in New York. A Canadian tourist in Rome visits your website. The GDPR is triggered.
- You're based in Melbourne. You ship to Spain and a Spanish citizen orders goods from you. Again, the GDPR is triggered.
Takeaway: if you run a small business and/or an ecommerce store, there's a very good chance the GDPR applies to you and you should understand your compliance obligations.
What is Personal Data?
The GDPR helpfully provides a clear, concise definition of personal data in Article 4. Basically, personal information is any data that can identify a person, their household, or their family.
So, if you collect any data that may be used to identify someone, such as their name, home address, email address, or telephone number, this is protected data under the GDPR.
Whether you send around an email newsletter, or you capture a customer's details for a prize draw, you must take steps to safeguard this information and keep it confidential.
Before we move on, there's one final thing to bear in mind. "Such as" means that the list of identifiers in Article 4 isn't a complete list. In other words, if you think it's personal data, it probably is. It's better to be overcautious than careless!
Does the GDPR Apply to Data Collected Offline?
If you run an ecommerce website but you also manage a physical store, you're probably wondering if the GDPR applies to the data you collect in store. We've touched on this earlier, but the answer is yes, it does.
The General Data Protection Regulation is technology neutral. This means that it doesn't matter what form of online or offline data processing or handling takes place. The GDPR covers it all.
The closest that the GDPR comes to actually explaining this is in Recital 15, "Technology Neutrality."
If you undertake activities like:
- Capturing personal data at the register
- Processing returns in store
- Handling customer signatures
- Running contests in store
- Processing orders in the store that you plan on mailing out (i.e. customer addresses are on the labels)
You must comply with the GDPR although none of this activity takes place online.
Since the GDPR is tech neutral, you must follow its requirements when you're interacting with customers or prospects online, too. This includes:
- Supervising who can post on your accounts and read private messages
- Properly safeguarding private data collected through social media channels
- Deleting sensitive information from social media, where appropriated
Does all of this sound complicated? Don't worry. It's actually a lot easier to comply with the GDPR than it appears at first glance.
Let's break down what obligations the regulation places upon you and how, as a small business owner, you can comply both on and offline.
A Guide to Small Business Compliance with the GDPR
Helpfully, there's clear criteria you can follow to comply with the GDPR across your entire business.
Here's how it all works. We'll highlight why small business compliance is important as we go.
Complying with Individual Rights
GDPR compliance is the only way to fully protect the data privacy rights of individuals. These 8 user rights are set out in Chapter 3 of the GDPR:
Let's briefly touch on each right.
Right to Information
Customers have a right to know what information you plan on collecting, why you need it, and what you plan on doing with it.
Here's how Gymshark addresses these rights in its Privacy Notice. It sets out what data is collected and the legal basis for collecting it:
You can also answer these questions in store or set out similar provisions on an invoice. What's important is that customers know about their rights and see you're willing to comply.
Right to Access
It's imperative that if customers ask you to show them what information you store on them you comply. If you don't comply, you're infringing someone's right to be in control over what happens to their personal data, and how it's shared or handled.
Right to Rectification
If a customer asks you to amend personal details, whether it's details you collected at the register or online, you must comply. Gymshark has a small store in London and a large ecommerce store. It specifies this right clearly in its Privacy Notice:
As with every GDPR right, this is tech neutral. It doesn't matter how small the change is, or whether it's made in writing, face-to-face, or over the phone.
Right to Deletion
Customers have a general right to be forgotten under the GDPR. If they exercise this, then you must delete any data you have on them unless there's a legal reason to hold it.
Right to Restriction
An EU citizen can restrict how you use their personal data if they claim that it's inaccurate or you collected it without their permission.
This right is in line with the principles of accuracy and lawful basis for processing, so it's vital you comply.
Right to Portability
Basically this gives EU citizens the right to transfer their personal data from one company to another without challenge. It's worth knowing it exists in case you're expected to comply at some time.
Right to Object
You must tell customers that they're entitled to object to how you handle their personal information. They can ask you to stop processing their data and you're expected to comply in most circumstances.
Here's how U.S.-based personal trainer Alyssa Olenick addresses the right of EU citizens to "unsubscribe" or object to data handling at any time:
Make it clear that the right exists and how to exercise it.
Right to Avoid Automated Decision-Making
You can't "profile" anyone or make decisions about them based on their age, gender, location, or other similar data, as stated in Article 22.
However you collect personal data, it's your responsibility to properly secure it. Issues you may encounter as a small business include:
- Multiple staff accessing social media accounts
- Staff leaving receipts, invoices, and other personal data lying around the register
- Properly securing and encrypting payment information when customers pay online
- Filing hard copies and paperwork away securely
- Holding on to data for longer than necessary
The GDPR doesn't place the same data protection obligations on small businesses as it does on larger companies, but it's still essential that you comply. Here are some tips on staying GDPR compliant.
Social Media Accounts
- Only let certain personnel log on to your accounts and read private messages
- Change passwords regularly
- Just because someone follows you on social media doesn't mean they want marketing messages - get clear consent before sending mailers or mass messages
Inside the Store
- Store sensitive documents in locked filing cabinets
- Periodically review your paperwork and shred what you don't need
- Conceal information you gather over the phone e.g. telephone orders
- If you're running a promotion or capturing data such as email addresses and telephone numbers, ensure the customer knows why you need this data, how you'll use it, and when you'll dispose if it
- Get clear consent to capturing data for marketing purposes
- Use encryption to process payments
- Get consent to marketing and analytical tracking
Here's an example of how you can collect consent for marketing communications:
Whether you meet customers over the telephone or online, the same principle always applies: Data protection compliance is critical.
Data Breach Notifications
- You sent an invoice containing someone's payment details, name, and address to an external recipient
- Hackers accessed your social media account which contains personal customer data
- Someone breaks into your store and accesses sensitive files or items with personal information on them
As per Article 30 of the GDPR, there's no need to record data breaches that you're not reporting to the supervisory authority because this is unduly onerous on small businesses.
Penalties for Non-Compliance with the GDPR
Aside from the reputation damage caused by ignoring your GDPR requirements, the financial penalties for non-compliance are high.
According to Article 83 of the GDPR, you can be fined up to 4% of your annual turnover or 20,000,000 Euros, whichever is the higher amount.
The penalties imposed vary considerably depending upon many factors including how severe the breach is, how long you took to report the breach, and what steps you took to limit the damage.
The good news is that it's pretty easy to avoid GDPR fines. Take your GDPR compliance requirements seriously and make sure you always get consent to handling personal data, and you won't need to worry about financial - or reputational - penalties.
Every small business should comply with the EU's General Data Protection Regulation, or GDPR. The GDPR lets individuals control who has their personal data, how it's shared, and why it's collected in the first place.
Complying with the GDPR shows companies that you're a serious, professional business that cares about its customers.
As a small business owner, what's important is that you have procedures in place to secure data wherever it's stored, whether it's online or offline.
To comply, you should:
- Change your passwords regularly
- Use encryption for online payments
- Limit access to social media
- Store data for no longer than necessary
- Report breaches as soon as possible and take steps to ensure they don't happen again (or at all)