GDPR Guide for Small Business Owners
The GDPR kicks into effect May 25, 2018, and for owners of small businesses it can feel like a kick in the teeth. The GDPR (General Data Protection Regulation) is a new law that concerns itself with the handling of personal data of residents in the European Union (EU). Even if your business is located in North America, well outside the EU, you need to take this law seriously because it affects any EU-based customer who may interact with your site. You can’t guarantee that someone on your site isn’t a resident of the EU. They might even be using a US-based proxy server. They may have posted a comment on your site, which is associated with their IP address and Email address. They may have subscribed to your Email newsletters. Even if they are physically in Canada or the US when sending you a message, they may be here on business or holiday. Fines for non-compliance will be substantial and can be levied on businesses both in and outside the EU.
The GDPR is intended to give EU residents more visibility and control over their personal data: how websites, not just E-commerce websites, collect data; who they share it with; and what tracking technologies monitor them across the Internet.
GDPR Compliance basics
If you collect Email addresses for subscriptions, you must ensure that there is no automated subscription system. In Canada, this has already been governed by the CASL legislation over the past couple of years. For example, you cannot pre-populate a subscription checkbox on a contact or order form. Subscribers must be informed about what they are subscribing to and given easy ways to withdraw consent.
You may no longer store a record of customer behavior. For example, if you were using an online system to track how often someone visited your restaurant, even if the reason was to reward them with a prize for frequency, information about the dates and/or times of those visits can no longer be stored in any digital form. You may still show that they visited x number of times, but there can be no specific details related to any particular range of dates, because that could potentially be used to identify someone by associating their visit dates with other information, even if the sources of info come from different systems.
Perhaps the most challenging aspect of the GDPR is the requirement that if someone asks you to scrub all traces of their interaction with your site, you must comply. The reasoning is that if someone had their identity stolen they must be able to have that false information removed wherever it may exist, anywhere in the world. This means all traces. Any information that can be combined with other information to identify someone must be removed. Even storing the last four digits of a credit card can be used to connect this person to a specific identity and therefore must be removed if they ask to have their information scrubbed.
Unfortunately this issue is quite a complex one to manage. For example, if you are asked to remove personal information, this request is not as simple as removing their info from your website database. If they placed an order or contacted you by Email, you must also scrub those related messages from any computers that may hold those records and that may be exposed to outside access. It may be quite likely that multiple staff have interacted with the same person, which means those Email records must be removed from any place where they could potentially be accessed. If you were to keep that info on file following a removal request and later faced a data breach, you might potentially be liable if that breach led to their personal information being released to the world.
How Customer Rights affect you as a business owner
The GDPR gives EU residents powerful new rights such as the Right of Access, Right to Rectification, and Right to Erasure. That means EU residents will be able to:
- Demand a copy of all the data you have about them.
- Demand any errors that may exist in the data be corrected.
- Request the removal of all personal data you have.
The GDPR also gives EU residents the right to find out if their personal data has been compromised. Your business will need to notify customers if their personal data is stolen in a breach, and do so in a timely manner.
GDPR isn’t about all information. The new rights for EU residents specifically apply to Personal Data. Personal Data is anything that can identify a person, either on its own or combined with other data. Personal data may be information such as:
- Physical address
- email address
- Phone number
- Last four credit card
- Shipping tracking numbers (these are unique to an order, and thus to a person)
- IP address
Basically, if you can use a piece of data to identify an EU resident, or combine it with other data to identify them, then that is considered personal data.
Dealing with security breaches
The GDPR requires that you publicly announce every data breach to everyone who is affected, you need to have your plan ready to roll in the unfortunate event that it happens. Don’t assume it won’t; even the world’s most secure websites are hacked. With some 200,000 hacks of small business sites every day of the year around the world, you need to think of it as “when,” not “if” your site will be hacked, regardless of how strong your security measures might be. Google blacklists around 10,000 websites every day for malware, removing them from search results. Malware can infiltrate customer data and expose your customers and you to fraud and identity theft.
In addition to designating a Data Protection Officer, the GDPR requirements also include:
- Protecting personal data by employing techniques such as access restrictions, encryption, pseudonymization, backups, data minimization, and regular testing of all these techniques.
- Notifying the appropriate supervisory authority no more than 72 hours after of becoming aware of a breach of users’ personal data, including the number of users whose data was exposed, the nature of the breach, and what actions are being taken to mitigate its effects.
- Communicating this information to the impacted users, especially if the data breach exposed any of their unencrypted personal data.
- Considering the needs of any law enforcement investigations before publicly announcing the breach.
What steps should you be taking?
First and foremost, you should put someone in charge of managing your data privacy. If you’re a one-person company, then obviously that will be you but you can have a website expert help you in managing these things on your behalf.
Review your Email subscription system to ensure that it is GDPR compliant. Make sure you have a mechanism on your site that makes it easy to unsubscribe and that subscriber info can be completely scrubbed so that it is no longer available in any form even if you were to get hacked.
If you run an E-commerce or WordPress site, you must ensure that your plugins and E-commerce system are GDPR compliant. This means they should have the ability to scrub data fairly easily when such a step is requested.
Create a crisis plan that outlines the steps you will take if you ever did face a data breach. Know what you are going to say to your customers, how and when you will make the announcement.