GDPR: No One-Size-Fits-All Solution
If you’re in the small business arena, you’ve probably heard about the recent changes to the General Data Privacy Regulation (GDPR) that went into effect on May 25, 2018. These new changes mandate that companies clearly communicate how and why they are collecting consumer data.
Most small businesses are looking for a blanket solution for GDPR compliance. Unfortunately, it’s difficult to offer one-size-fits-all guidance when these regulations will affect businesses differently.
Your GDPR Questions Answered
The media has done its job in covering this topic, suggesting that small businesses (even in the United States) review these new changes. However, the definition of a “small business” can differ based on the context in which it’s used.
A mom-and-pop pizza joint that serves one town vastly differs from a nationwide pizza chain. But when big businesses like Google, Apple, Twitter, Samsung, Ford and Bank of America come into play, the nationwide pizza chain may not look as “big” as it did next to the local pizza shop.
From the mom-and-pop shop to global corporations, let’s walk through some common questions that businesses of all sizes have about GDPR compliance.
Q: Why have I read about the new GDPR regulations affecting U.S. small businesses? I thought these laws only applied to European companies?
A: The recent changes to GDPR focus on any business’ reach to European citizens. Just because a company is labeled a “small business” does not necessarily mean it must comply. In fact, the criteria for compliance are not determined by size of business at all.
Q: How can I determine if my business needs to comply?
A: GDPR compliance speaks to the international business market that exists today. As such, compliance will look different for every business, depending on a variety of factors. To start, ask yourself some basic questions about your business:
- Does your business collect personal data?
- Are you active in the European marketplace?
- Do you actively market goods or services to European citizens outside your main targeted customer base?
If you answered yes to any of these questions, you may need to look into GDPR compliance requirements.
Q: What about my business’ online presence? If European citizens can find my business online through search engines, does this mean I need to be GDPR compliant?
A: Yes and no. This is where GDPR can get tricky. The simple act of a European consumer finding your website online does not mean you are directly serving them. For example, even if the pizza shop created a business website, and expanded its storefronts across the United States, it is unlikely that GDPR would apply. But, let’s say the pizza joint now manufactures frozen pizzas available to anyone in the world. Now, the pizza shop should investigate their GDPR obligations.
Q: May 25 has passed, and I still don’t know if GDPR applies to my business. Should I panic?
A: The short answer is no, you do not need to panic. Just as its effect on a business will vary, GDPR enforcement will also be relative to the amount of personal data you collect from EU citizens on a day-to-day basis. With that said, these changes can benefit ANY business by improving transparency between your business and its customers or clients. Even if GDPR will not affect your business, it does not hurt to review your current data privacy policies to improve them where you can.
What should I do?
- Know your business. Use the starter questions I mentioned earlier to determine if GDPR could impact you. GDPR is less about size and more about your business’ reach to European citizens and the data you collect.
- Research and prepare. As cliché as it sounds, do your homework when it comes to GDPR. While dense, these regulations outline the requirements for small businesses as it applies to collecting data from EU citizens. First understand your business, then research how your business may be impacted by GDPR. Use this resource from Compliance Junction for a more in-depth analysis of new GDPR obligations for small businesses.
- Do what you can now. Changes to these regulations are still ongoing, and it’s still very new. However, any business can benefit from looking at GDPR requirements to see what you can do within your own business. If you can make your privacy policies easier to read, why not? If you can separate user consent from other business-related messaging, go ahead and do it. Even businesses that are not required to comply with GDPR can benefit from a review of their current data privacy policies.