“My business is a U.S. company — I don’t have to figure out this GDPR stuff, right?” Right. No worries if you’re a U.S. company, and you only interact with U.S. businesses and consumers. Simply implement an intake form to detect where your customers are located and restrict access to your website, so that it can’t collect personal data from people located in the EU. But be wary of customers that might move to the EU after connecting with your business — you don’t want to accidently send them your newsletter or marketing emails if you didn’t acquire GDPR-approved consent.
Better yet, comply with the GDPR anyway.
The purpose of the GDPR (read: the General Data Protection Regulation) is to promote the privacy and data protection of individuals within the EU. You can read more about it here <link to GDPR for Marketers article>.
If you want to do business in the EU — or with individuals in the EU — you’ll have to comply with the GDPR. Noncompliance means significant fines or even jail-time for company executives, depending on the severity of the breach.
When Does the GDPR Apply to a Small Business?
When it comes to the GDPR, size doesn’t matter so much. If people located in the EU can access your website, the GDPR applies. It does not matter whether you are a one-woman-show or have locations spread across the globe.
However, your company’s requirements under the GDPR will be affected by your size and activities.
In the U.S., a small business is typically defined as an organization having fewer than 500 employees. Under the GDPR, small businesses with 250 or more employees must keep a written record of its data processing activities. However, any business — no matter the size — must comply with the GDPR’s written record requirements if that business engages in any of the following activities:
- The business’s data processing activities could affect individuals’ rights and freedoms;
- The business processes data that reveals an individual’s race or ethnicity; political, religious or philosophical beliefs; trade union membership; genetic or biometric data; or data about the person’s health or sexuality;
- The business processes personal data relating to criminal offenses and convictions; or
- The business processes personal data on a regular basis.
Unfortunately, that last point is left open to interpretation and serves as a catch-all for regulators. If broadly construed, it would include those businesses that regularly process data for its websites or CRM systems. Because the position is so unclear, it’s a good idea to keep records, even if you think your business might be exempt.
Whether your business is required to appoint a Data Protection Officer (DPO) is not based on the size of the business, but rather, the core processing activities that are defined as essential to achieving the company’s goals. A DPO is an individual who is an expert on data protection law and procedures. This is also the individual responsible for reporting in the event of a data breach.
How Does a Small Business Comply with the GDPR?
Complying with the GDPR is about learning the language and checking off items on a checklist. It’s easy to get started.
1. Learn the Rights of Individuals in the EU (aka Data Subjects).
For starters, the law gives individuals certain rights:
The Right to be Forgotten
Data Subjects (again: individuals physically within the EU) have the right to request that a business delete their information. “Hey, lose my number, Google!” This applies to any business, whether it’s in the EU or not. And, it not only includes information the Data Subject provided, but any other information collected, i.e., analytics, notes, etc.
The Right to Access
The Gimme Gimme Rule, aka Right to Access, means that Data Subjects are entitled to request that a company share with them what information has been stored about them. And that this transaction occurs without charge.
Privacy by Design
Privacy by Design is a term-of-art meaning, “to build from the bottom up.” Rather than adding privacy to existing models, the models should be re/created with privacy and data protection in mind. This also means collecting the minimum data required for conducting business operations.
Whatever information a business decides to collect about a Data Subject is subject to transfer to another business if the Data Subject so requests. The idea behind this element is to allow for the free movement of consumers from company-to-company. The information that is ported must be shared in a common, machine-readable format.
Get ready to implement more check-the-boxes into your systems, because strengthened consent requires that permission be obtained on a per-use case of a customer’s data. If your company asks for an email address and consent in order to send purchasing information, it must again ask for consent before using that email for marketing purposes. Further, consent can’t be messy, unintelligible, hidden, or tricky. All consent requests are required to be written in a way that the company’s intended consumers can understand it.
2. Review and Revise your Privacy Policies, Consent and Collection Procedures, and Record-Keeping Systems.
In keeping with the rights that Data Subjects have, your company’s practices may need to change. Any policies in place should describe your data processing activities in clear, plain language that the relevant Data Subjects can understand. When stating what data you’re collecting, be sure to note why your collecting it and ensure that you have a lawful basis or consent to do so. Businesses under the GDPR have an obligation to collect the least amount of personal data necessary for its purpose.
This means that:
- The contact forms on your websites should not collect data non-essential for contacting people (stick with names and email addresses).
- A business card or LinkedIn connection is not consent to add that person to your mailing list — you need explicit consent from them agreeing to receive your emails.
- Don’t ask for someone’s age, gender or body type unless you state why you’re specifically asking for that information and also explaining how you’ll be using that information.
3. Secure that Data.
If you’re collecting data, you should be protecting it. Be sure that the relevant leadership in your company — whoever is responsible for company security — knows the proper language and tools in effecting company privacy policies and security solutions.
“Many business leaders are confused about basic data security concepts, like encryption. When we asked whether they used end-to-end encrypted email, about two-thirds said yes. But when we asked these people to identify the service, only about 9% named one. ‘VPN,’ ‘Mailchimp,’ and ‘Dropbox’ were among the responses. Seven Irish respondents said their end-to-end cloud storage provider was ‘Reddit.’”
For a list of best practices for company security, check out this article. In short:
- Train your employees on how to detect and avoid data breach incidents.
- Secure your network, invest in security software and a VPN, and enable encryption software for communications and storage.
Keep in mind that your security protocols will be as unique as your business itself — don’t go copying another company’s privacy policies and data security incident plan. Privacy counsel at Rockridge Venture Law is here to work with your organization to define your operations and make a GDPR-compliant plan that works with your business.
 GDPR.EU “Millions of Small Businesses Aren’t GDPR Compliant, Our Survey Finds” by Ben Wolford, Last accessed Dec. 15, 2020, https://gdpr.eu/2019-small-business-survey/.
About Lauren Hughes
Lauren Hughes is the privacy and branding lead at Rockridge Venture Law®. Equally adept at creative campaigns as well as technology transactions, Lauren leads clients through copyright, privacy, regulatory, and trademark considerations in optimizing successful e-commerce portfolios. She is a leading voice among women practicing in technology and tech law. Her primary practice areas include copyright and trademark law, data privacy, sports and entertainment law, and technology transactions. Lauren also leads the Knoxville Technology Council’s Women in Tech Committee, and is a Director of the Tennessee Women’s Theater Project. Read more about Lauren, connect with her, and Calendly her.
RVL® Articles by Lauren
Rockridge Venture Law®, or RVL®, was launched in 2017 to become the preeminent intellectual property and technology firm across the Appalachian Innovation Corridor. We have offices in Chattanooga, Durham, and Nashville, and represent clients and interests globally. Our services include all aspects of intellectual property, litigation, M&A, privacy, technology transactions, and ventures.
In 2018 and 2019, we were recognized as B Corp Best for the World for our commitment to triple bottom line business practices. RVL® is also certified by 1% for the Planet for its nonprofit partnerships advancing stewardship and sustainability. RVL’s nonprofit partners in 2020 include Green|Spaces, Living Lands and Waters, Mustard Seed Ranch, and the NC State Lulu Games Social and Environmental Impact Competition.
Our pioneering environmental and social impact programs attract top-notch legal talent and assure our clients of missional Rockridge Venture Law alignment with their corporate values. Rockridge uniquely addresses two modern profit drivers: innovation (uptake and development), and corporate social responsibility. We’re Building Today’s Company for Tomorrow’s Economy® by leading clients through the dizzying array of information controls, by helping them to develop and monetize proprietary assets, and by enabling their impactful products, programs, and principles.
Learn about global impact and innovation leaders at Rockridge I-Suite®.
See case studies on how we’ve helped transformative companies at Rockridge Portfolio.