GDPR: Do Small Businesses Need to Comply?

This year, the General Data Protection Regulation (GDPR) went into effect, and it impacts businesses of all sizes. Since many of my clients are small- to medium-sized merchants, I thought I would touch on a few highlights concerning what these new regulations are.

GDPR is a new law regulating the way businesses collect, process, and use data from citizens in the European Union. The law covers any business with EU customers, no matter where or how big the business is: even one-person shops or “mom-and-pop” merchants need to abide by the regulations.

At least half of my clients have no customers in the EU, and at least a third of those have no real prospects of ever GETTING customers in the EU. Nevertheless, I still recommend that they think seriously about implementing the tenets of this law. “At its core,” states one source, “GDPR is designed to protect personally identifiable information by strengthening and unifying the standards for data storage.” Not only is that a good idea, it is an idea I expect to spread: it would not surprise me to see the US adopt similar regulations within the next five years. For that reason, I tell clients, you might as well start planning now.

3 Areas Affected by GDPR

There are three primary areas where the GDRP will have the most dramatic impact. Because this is a blog post (and because I am NOT an attorney), we’ll just touch on these at a high level.

  1. Lawful Basis

GDPR requires that merchants have a “valid lawful basis” for processing personal data. There are six lawful bases, and mostly they get down to whether the processing is necessary: in other words, if there is a feasible way to accomplish the same goals without processing personal data, you probably won’t legally be allowed to  process it.

  1. Clear Privacy Policy

Having a privacy policy has always been a good idea (it comes standard with every Spilled Milkshake web design), but it’s now mandatory. Your site must now include a privacy policy that thoroughly explains all the way in which you collect and plan to use the personal data of EU citizens. It must be written in clear and simple language (no “lawyer-ese”) and prominently state who users can contact if they want to review, change or delete any of their data.

  1. Data Processing Contract

If you accept credit or debit cards through a third-party data processor such as PayPal, you must have a detailed contract with that company. Typically referred to as a Data Processing Agreement, or DPA, the contract must spell out–again, in language an average person could be reasonably expected to understand–the purpose of processing the personal data, as well as who will be liable for that data at any given stage.

 What Happens if I Don’t Comply?

Again, these new regulations are in effect even for small companies based outside the EU: if you collect, process, or use personal data of any EU citizens, you are liable. Not complying to GDPR can result in fines–some of them quite high. EU regulators are allowed to fine US companies for GDPR violations; in some cases, US authorities may even help.

No Time to Be Complacent

All the new stipulations associated with the GDPR have left some merchants feeling overwhelmed. While that’s understandable, it’s good to keep in mind that the end goal is relevant: the protection of our personal data. We all want our customers to feel confident that their information is safe in our hands.

And remember: help is available. Here at Spilled Milkshake, we have the knowledge and experience to help you navigate the sometimes-choppy seas of GDPR. Contact us today to learn how we can make sure your site adheres to GDPR standards going into the future.