Do California small business owners need to concern themselves with the EU General Data Protection Regulation (GDPR)?
After all, the European Union is a continent plus an ocean away.
At the very least, small business owners should be aware of what the GDPR is.
At most, California small businesses that process and hold certain types of personal data about European Union residents, a.k.a. data subjects, should consider taking action.
What Are The GDPR Requirements?
The GDPR regulates the processing of a data subject’s personal data including its collection, storage and transfer or use. The GDPR gives data subjects more rights and control over their data by regulating how businesses should handle and store any personal data they collect.
The GDPR went into effect on May 25, 2018.
The GDPR grants eight fundamental rights to data subjects. They are:
- Right to be informed
- Right of access
- Right of rectification
- Right to erasure (a.k.a. the right to be forgotten)
- Right to restrict processing
- Right to data portability
- Right to object
- Rights in relation to automated decision making and profiling
Does The GDPR Apply to California Businesses?
The GDPR applies to any company anywhere in the world that employs 250 or more people and that handles and stores the personal data of at least one EU resident.
Does The GDPR Apply to California Small Businesses?
The short answer is, “it could.”
Article 30 of the GDPR states that businesses employing fewer than 250 people will not be bound by the new regulation, “unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data, or personal data relating to criminal convictions and offences.”
Special categories are, “personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.”
If Your Company Does Not Do Business With EU Residents
If your company does not do business with any EU residents, one course of action is to purge all EU resident records from all systems.
As referenced above, the threshold number of data subjects for GDPR compliance is a single EU resident. If there is just one EU subject record in any of your systems, the number might as well be 10,000. What counts as a “system”? Here is a partial list.
- Email marketing & marketing automation
- Accounting and ERP
- Content management systems
For internal databases, a business is considered both the data processor and the data controller. For cloud databases, the business is the data controller and the cloud provider is the data processor. Purging records is the responsibility of the data controller.
Data Collection Avoidance
If your company does not do business with any EU data subjects, a practice worth considering is to avoid collecting personal information from EU residents after May 25, 2018.
If your business collects the email address from website visitors in exchange for a free digital asset such as a whitepaper, after May 25, 2018, it would be best to not email the asset to the form submitter. Instead, redirect the submitter to a page that has a link to the asset.
If your marketing system collects and stores a visitor’s geographic location (many do), an approach is to delete the records of any form submitters identified as originating from an EU member country. This approach should also include “Contact Us” form submitters.
Companies that use WordPress can selectively display website forms and calls to action to only visitors from the countries the business serves. This can be done with a free plugin called GeoTargeting Lite.
A stronger preventative approach is to un-gate all your content and not collect the email address from anyone who is not ready to business with your company.
Beyond website forms, educating employees about how to not introduce EU data subjects into business systems is another aspect to consider.
It can only benefit a business to document the facets of a “zero EU data subject policy” so that there is something to present to an EU auditor in the unlikely event of an audit.
If Your Company Does Business With EU Residents
If your company does business with EU residents and your small business could be bound by the special category provisions, there is an extensive process your company should consider going through or risk facing substantial fines. The process begins with an audit of all stored personal data.
1. Know what EU subject data is being held within your organization. Know where and how it’s being held. Know who is responsible for managing the data.
2. Have processes and procedures in place to enable compliance with GDPR requirements
3. Fully document these processes and procedures so you can prove compliance if audited
4. Publish the processes and procedures on your website
5. Be prepared to report a data breach within 72 hours
One company we found sells a GDPR policy template set for about $105.
What To Do Next?
It’s not yet clear how strictly the EU will enforce GDPR compliance with small businesses. However, the risks are high enough that small business owners and managers should take the time to study the GDPR provisions.
Ian Gotts, a California small business founder who writes extensively on the topic of GDPR, stated in a recent article, “[GDPR] should be the catalyst to rethink your customer engagement strategy and build loyalty that is a huge differentiator and competitive advantage.”
This blog post only scratches the surface of a broad and complex topic. Be sure to click on the inline links above to learn more. It’s also worth taking a look at the European Union’s frequently asked questions about the incoming GDPR.