This question has been coming up a surprising amount:

"I run a small business. Does the GDPR affect me?"

If your small business deals with citizens of the EU, the answer is a resounding YES.

While some aspects of the GDPR may affect you differently, with less strict rules for small businesses vs massive operations, the majority of the requirements set forth by the GDPR affect all businesses the same regardless of size.

In this article we will discuss how the GDPR affects small businesses and what you need to do to be compliant.

The GDPR is a massive overhaul of Europe's privacy laws and leaves much less wiggle room and gray areas for you to operate in while remaining compliant. While small business owners may catch a few breaks versus big businesses that are required to take extra measures, the GDPR is still going to have an impact on the operations of small businesses that collect or process data from residents of the EU.

The line that separates small businesses from large ones in the eyes of the GDPR is 250 employees. Small businesses with fewer than 250 employees get a small break in that they are exempt from the record keeping requirements of larger companies as described in Article 30. This is done to ease the burden on smaller operations.

GDPR Article 30 Section 5: Records of processing activities

It is, however, important to know that this does not exempt the company from GDPR compliance. There are still many regulations under the GDPR that apply to ALL companies, no matter the size.

Privacy Policies

One of the most basic and necessary changes to any business under the GDPR is new Privacy Policy requirements. Regardless of the size of your business, the GDPR has new sets of guidelines for what must be included in your Privacy Policy and how that Privacy Policy must be presented.

Here are the major changes:

  • Your Privacy Policy must be written in plain language that is easy to understand. Cumbersome legalese is not acceptable.
  • Your Privacy Policy must be easy to access (available from your website home page).
  • The GDPR requires that consent be obtained before the collection or processing of personal data. This often includes agreeing to your Privacy Policy.
  • Your Privacy Policy must disclose additional information that wasn't required to be included before, such as information about how users can request records of their data, request data be deleted, etc.

Whether you are a single person with a website or Google itself, the GDPR requires you to have a compliant Privacy Policy to ensure that you are being transparent about your data collection and processing so that your users know how their personal information is being used.

Online and Offline Considerations

Many small businesses have a limited website or no website at all. These companies often rely on collecting contact information at the point of sale. This contact information is often used to create a mailing list or other type of registry for contacting customers.

As with any collection or processing of personal data, this can be regulated by the GDPR.

As an example, let's imagine a small business with no website presence. This company does, however, have an email list they use to send out a newsletter. When customers are in the store they may be asked to give their email address or join a loyalty program. That email address is then added to a mailing list to receive the newsletter or special offers.

Some people erroneously think that this sort of data collection is somehow exempt from the regulations of the GDPR. This is not true.

Also, the act of contacting that email list would certainly be considered data processing under the GDPR which would make compliance necessary if those email addresses belong to residents of the EU.

Data Protection Officers for Small Businesses

Another difference between big and small businesses is the requirement to appoint a Data Protection Officer, or DPO. This requirement is not dependant on the actual size of the company, but larger businesses are more likely to need one than smaller businesses.

The requirements are as follows:

GDPR Article 37 Section 1: Designation of the data protection officer

As you can see, larger companies are more likely to take part in data collection and processing of a scale that would require a Data Protection Officer to be appointed. It is, however, possible for a relatively small operation to be required to have an appointed DPO.

It should also be noted that appointing a DPO may be recommended to assist with other aspects of GDPR compliance, or simply to future-proof a small but growing company, even if it is currently not required by law.

Big or small, companies are required to acquire affirmative consent before collecting and processing personal data under the GDPR.

Exempting small businesses from acquiring consent would leave the door open for abuse that could be potentially harmful to internet users. Large companies could break up into smaller pieces, or create small entities to handle data collection and processing in order to avoid the rules of the GDPR.

For those reasons, all entities that collect or process personal data must have a compliant Privacy Policy and obtain the proper consent before collecting or processing personal data.

In the case of children and minors, consent must be obtained from a parent or legal guardian. The GDPR classifies children as under the age of 16, though individual member states have the right to lower that age down to 13 based on their local ordinances.

Data Breaches and Small Businesses

No matter the size of your business, any entity that handles the personal data of residents of the EU is responsible for keeping that data safe.

Article 82 of the GDPR states that data subjects have the right to pursue compensation if they experience damages as the result of a company failing to comply with the GDPR. This does not only apply to large companies, but anyone who takes on the responsibility of collecting and processing personal data.

GDPR Article 82 Section 1: Right to compensation and liability

The GDPR also outlines how data breaches must be handled, from detection through alerting users and the appropriate authorities. You at most have 72 hours to notify the proper authorities upon discovering a potential breach, but notification should take place as soon as possible for affected users and the authorities to best protect your data subjects.

Again, it does not matter what size business experiences a security breach. The measures set forth are to protect affected users. In order to protect both yourself and your users, it is important to comply with the security guidelines laid out in the GDPR.

Right to Erasure and Small Businesses

The GDPR grants users fundamental rights regarding their personal data and privacy. Among those rights is the right to erasure. This right boils down to data subjects having the right to demand that their personal data is deleted and that there is no further processing of their data.

Once again, this right is not based on the size of the company, but rather is designed to protect individual users. If you collect and process the personal data of residents of the EU, you must be prepared to delete the data of individuals should they request it.

Lawful Use of Data and Small Businesses

Processing personal data requires that one of the following conditions of Article 6 is met:

GDPR Article 6 Section 1: Lawfulness of processing

The GDPR also stipulates that only the data necessary to complete the agreed upon task should be collected and used. It also states that the data collected should only be kept for as long as necessary to complete the tasks they were collected for, and data should obviously only be processed for the purposes the data subject has consented to or can reasonably expect.

Collecting an abundance of personal data when only a portion of that data is needed is unacceptable. Personal data should also only be processed, shared, or transferred according to the guidelines of the GDPR.

Gone are the days of ambiguous laws and gray areas that allowed for data collection on a large scale to create repositories that could later be used when the opportunity arose.

Under the GDPR, personal data is strictly controlled and companies, big or small, should only collect and process what is necessary to limit potential risks to data subjects.

Right to Access and Small Businesses

The GDPR gives data subjects the right to access their data, correct or update their data, and request copies of their data. You should have procedures in place to handle these requests in the event that one of your users needs to make a change or wants to process a subject access request.

GDPR Article 15 Section 1: Right of access by the data subject

You may already have a system in place that allows users to make changes to information in their account. Small businesses can do this simply by providing contact information where a user can make a request. If you possess additional information about them you should already be able to alter that data within your database.

Subject access requests are an entirely other process, though.

Data subjects can requests to see what data you hold about them, inquire why you have their data, what you are using it for, and how long you will retain it. This information must be provided to them within 30 days of their request and include copies of the data in question. If you are unable to complete a request within the given timeframe you may face fines or other penalties as a result, so be sure your small business has solid procedures in place to handle these requests.

Opting-out and Small Businesses

The GDPR has strict requirements about data subjects being able to opt-out or retract consent previously given. Previous privacy laws and privacy laws in other countries have not always made this a requirement, so you should be sure to incorporate these features if you are working toward GDPR compliance.

For example, if you send out a weekly newsletter to data subjects from an email list, best practice is to include an unsubscribe link at the bottom of these emails.

Credit Karma email footer screenshot with unsubscribe and communication preferences links

Training Employees of Small Businesses

Having an adequate Privacy Policy, compliant written procedures, and strong security methodology in place is only useful if the employees handling the data are trained and knowledgeable about how to follow these procedures.

While the GDPR isn't explicit in explaining the requirements of training, it does mention that those with the authority or duty to handle personal data should be properly trained and understand at least the portions of the GDPR that pertain to them and their job, as well as the penalties for failure to comply.

After all, a Privacy Policy is worthless if the employees handling the data aren't following the policies outlined in the document.

Even if you only have a handful of employees, make sure they're all kept up to speed on the GDPR and any changes happening at your business.

Third-parties and Data Processors for Small Businesses

Even if your company is small, the third-parties or data processors you use may not be. You should review their policies to ensure they are compliant with the GDPR if they handle the personal data of your users who reside in the EU.

Under the GDPR, data controllers can be responsible for the actions of data processors if through negligence or instruction the personal data they have collected is mishandled.

There is, of course, the possibility that the data processor will act unlawfully without the knowledge of the data controller. However, the data controller should do their due diligence to ensure the data processor they are using is reputable and compliant with the GDPR.

Conclusion

The GDPR has unprecedented scope and reach in terms of privacy law. While there may be a few instances that affect small businesses differently than large companies, the majority of the GDPR applies to all entities that collect or process personal data of residents of the EU, whether that's a massive company or an individual app developer.

While the GDPR may impose a burden on companies as they make changes in order to become compliant, the long term goals are to strengthen the rights and securities of EU citizens and cut down on shady and risky data handling practices. Complying with the GDPR is not only necessary to protect yourself from fines and legal trouble, but will instill more trust in your users and ultimately improve your relationships and company image. This is important for businesses of all sizes.

Privacy Policy Generator
Comprehensive compliance starts with a Privacy Policy.

Comply with the law with our agreements, policies, and consent banners. Everything is included.

Generate Privacy Policy