Are you ready for GDPR? As a small business owner, you are likely concerned primarily with the customer base that exists within a radius close to your physical store. Prior to the invention of the internet, you would never have had to even consider customers outside of your local community. However, as the internet has become increasingly sophisticated and dispersed to populations all across the world, maintaining an online presence has become increasingly vital for businesses looking to boost their profits and expand beyond their local community. These distant customers can serve as an excellent source of revenue, but they are also subject to the rules and regulations of their own country, rules that you will have to comply with.
Normally, the laws and regulations of other developed nations are not too dissimilar to our own consumer protection laws – in many cases, you only have to worry about the ingredients in food items you sell or where your goods are being sourced from. However, some market blocs occasionally enact sweeping regulations that can completely change the dynamic between you and your customers.
On May 25, 2018, the European Union will begin to implement what is known as the General Data Protection Regulation, or GDPR. This set of laws will likely prove to be one of the most robust and wide-reaching consumer protection regulations enacted anywhere in the world, and it will apply to the entire population of the European Union – over half a billion people. These regulations won’t apply to you directly, but they will apply to every EU customer that interacts with your business in any way.
The GDPR contains numerous laws designed to protect customers and their personal data, the most important of which are as follows.
(i) Customers have the right to have any and all data collected on them deleted at any time
(ii) Any company holding data on an EU citizen is liable if that data is breached
(iii) Customers have the right to have their data changed or transferred between different parties at any time
(iv) Customers may have the right to request and receive all data that has been collected on them
These set of rules replace the 1995 Data Protection Directive and is intended to unify the patchwork of laws that currently exist across the 28 member states of the EU. The GDPR means that you can be held liable for any and all violations of the laws as they pertain to customers who are based in the EU in any way. They do not need to make a purchase from you – if your website collects cookies on your users, or stores any of their information (an address, phone number, or name), then you are held accountable to these regulations.
Compliance with these laws is a major cause of concern for both large and small businesses – only 50% of European firms are fully completely compliant with the GDPR, and that number is lower for American firms. Given the number of data breaches that have occurred over the past year – Equifax being a particularly significant one – the punishments meted out for falling afoul of the GDPR can be severe. A data breach could potentially cost your business as much as two million dollars in fines.
As a small business owner, having to comply with yet another set of regulations can seem like a daunting and tiresome task. However, the cost of refusing business from the entirety of the EU will almost certainly exceed what it costs to comply with the new regulations. Because any interaction with a person from the EU will place you within the range of the GDPR, it’s crucial that you begin to set your business up so that you will not have an issue complying with the rules should an issue emerge.
Large businesses have begun to make the necessary changes across their business infrastructure, but as a small business owner, you won’t have to coordinate these changes across nearly as many departments. That’s why you will want to get started as soon as possible because setting up your business to remain compliant with these rules can prove to be a time-consuming task.
The first step you might want to make is to appoint a person specifically tasked with bringing your business into compliance with these new rules. Ideally, you will hire a legal expert who understands these laws inside and out and will be able to help you make the changes you need. In turn, you’ll also be able to educate your employees about the necessary changes that will have to be made, so that they will better understand what to do and what not to do when handling EU customer data.
Next, you’ll want to make sure that you understand exactly where all of your customer data is being kept and who is responsible for it. The GDPR distinguishes between the people whose data are being managed (data subjects), the people who collect and own their data (data controllers), and the third parties who process and use consumer data (data processors.) How the rules apply to you will depend on which one of these categories you fall into. As a small business owner, you’ll likely be considered a data controller under the GDPR.
Under the GDPR, all customers that are affected by a data breach must be notified within 72 hours of it happening in order for you to avoid being fined. Even if you are not directly targeted, if the data processor that is managing your customers’ data gets hacked and you fail to inform your EU customers in time, you are still held liable. This is designed to ensure that businesses cannot shirk responsibility for their customers’ information by unloading it on a third party vendor.
Your best course of action will be to consolidate all of your customers’ information in one place, where it can be carefully monitored and updated as need be. Because your customers can request, change, or delete their data at any time, it’s crucial that you know exactly who has that data and where they are being kept. If your company is disorganized and keeps different data on different servers, this is going to cause a major headache for you if you can’t prove that you actually provided/updated/deleted all of the information as the customer requested.
You will also want to review any privacy agreements that are in place with customers from the EU. Many businesses have made an opt-out option for data collection the default for EU customers (i.e they are NOT automatically subscribed to e-mail updates.) Take care to ensure that this status doesn’t suddenly change, as companies that re-subscribe somebody who wasn’t subscribed before can be punished for that. Additionally, you’ll want to update your opt-out statements to include the new rights that EU customers have (i.e your customers can opt not to have their data collected for advertising purposes, or to not have their cookies tracked.)
Some companies have opted to create separate databases for EU and non-EU customers, with EU customers being monitored much more rigorously for updates and notifications. Take special care with sending out emails; some companies use a third party vendor that sends emails on your behalf to take some of the liability off of you. Others still have stopped e-mails altogether and returned to paper mail and cold-calling. Old methods are becoming fashionable again under these new laws!
Ultimately, it will take time to become fully compliant with these new regulations. In the meantime, the most important steps you can take are to minimize your liability as much as possible. Some companies can be classified as data processors if they are actively using customer data in their advertising and marketing campaigns, which can carry additional penalties if they violate the terms of the GDPR. As a small business owner, you’ll likely not have to worry about this specific scenario happening, but you will still be held liable for any data you do have or use in any way.
Review your contracts, and make sure that anybody that uses the customer data you collect is also compliant with GDPR regulations. Know where your data is being stored and collected, and make it so that EU customers can opt out of any form of data collection or targeted advertising. The more data you have, the more of a liability you will carry. A good way to tell if your customer data are well-organized is to test how easy and quick it is to pull up the entire dossier that you have on a customer. If there is any issue displaying all of the data you have, there’s a problem.
It might help to appoint one person who is tasked specifically with handling and organizing customer data. Larger companies have made efforts to implement specific, organized procedures for handling and storing company data. Small business owners like yourself may not have that level of the organizational hierarchy to worry about, but you’ll still have to worry about how your vendors will store and organize customer data. Never assume that a data processor will “just” do the right thing – you have to make sure that they are actually handling the data properly!
Of course, you could also decide to simply stop doing business with customers in the EU altogether. If your business receives little to no business from that region of the world, the headache of complying with the GDPR might not be worth it. Or perhaps not – you’ll have to decide that for yourself.