GDPR for small businesses in North America
I know what you're probably thinking: not another article about privacy!
So why then has a new European privacy regulation caused worldwide panic? If you're a small business owner in Canada or the US, why should you care and, more importantly, what can you afford to do? Read this post to understand GDPR and download our free how-to checklists.
What small businesses need to know about GDPR
We know what it's like to be a small business with limited resources. How can players like us be expected to comply with GDPR when even large corporations have admitted that they're struggling to meet the requirements?
Concerned about the risks involved with GDPR, we decided to spend time deep diving into how this European regulation might impact us and other businesses in the US and Canada. What we're sharing here is not legal advice (please speak to your lawyer for that!) but the result of our efforts to understand what we think many of you are wondering:
What is GDPR?
Why should I care if I'm not based in Europe?
How does GDPR impact my business?
What should I do as a small business in the new privacy environment?
What is GDPR?
The General Data Protection Regulation (GDPR) is a regulation in EU law concerning personal data privacy and security that came into effect on May 25, 2018. Compared to past US or Canadian regulation such as CASL, the GDPR has teeth to it as failure to comply can result in huge fines of up to 10-20 million euros or 2-4 percent of your company's total revenues, whichever is greater.
But it's not simply the penalties, the implementation of GDPR is not easy as it covers much more than basic personal data. It covers all Personally Identifiable Information (PII) which is:
Information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context.
What is considered Personal Data?
Sounds simple right? But under the GDPR, the definition of 'personal data' or PII is expanded to include things such as an individual's shopping habits, handwriting, web site cookies or IP addresses. It seems like overkill but most commercial web sites collect this information now and it can be used with other personal information to identify somebody.
And contrary to popular belief, GDPR protects personal data regardless of the technology used for processing that data. It doesn’t matter how the data is stored - in an IT system, via video surveillance or on paper - it is all considered personal data if it is PII.
But why should I care if I'm not based in Europe?
There are no exemptions with GDPR. Even if your business is based in the US or you work from home by yourself, you still have to adhere to the legislation if you do any business with Europe or handle any European personal data. This doesn't refer to just having European customers. This includes any non-EU company with a website that collects user traffic data with Google Analytics, whether a European web site visitor is placing an order or just looking up information.
You're probably thinking - what are the chances they are going to catch me? If you're a retailer, you know how long it's taken for the industry to move to EMV PINpads for card transactions (and we're still not there even though the liability shift happened in Oct 2015!). Given that GDPR just came into effect in Europe itself, the chance that European regulators will actually enforce against Canadian or American businesses is slim, right?
It's likely most businesses in North America would have agreed with this if it wasn't for Cambridge Analytica. As a result of what happened with Facebook in March 2018, governments around the world are already considering new privacy regulations using GDPR as the new gold standard.
As governments move towards GDPR-like privacy standards and data breaches continue to happen, the cost of taking a reactive approach will only increase over time. Yes, there will almost definitely be a cost to apply higher privacy standards - whether it be lost sales opportunities or higher administration costs - but to not think about how privacy impacts your business opens yourself up to even more expensive future lawsuits, potential damage to your brand image or loss of consumer trust. After all, consider how badly Facebook's reputation has suffered as a result of their inability to foresee and prevent Cambridge Analytica's disturbing use of the personal data Facebook's users entrusted to it.
Our general consensus is that it's possible for small businesses in North America to proactively adopt some of the most important GDPR standards and that there's more to gain from trying to comply with key GDPR requirements than ignoring them. Social credibility is an increasingly valuable currency. And visibly adopting more stringent privacy standards is simply good business in today's social environment.
How does GDPR impact my business?
As a business owner, I'm always concerned whenever new regulations come into effect. Invariably, new regulation will lead to more paperwork, more administration and higher costs. Even if a regulation has good intentions, more often than not, regulators underestimate how much more of a burden it is to small businesses.
Yet as a consumer, I recognize the outrage when a service provider I trust betrays that trust by sharing my data with others without my consent, gets hacked as a result of poor security or, even worse, hides a data breach as Equifax did in 2017. Few people would argue that they aren't concerned about the murky way in which personal data is collected and shared today.
Individuals have rights regarding their personal data under GDPR
This was in fact the reason why the GDPR came about. It was enacted to update EU privacy legislation to better regulate current market practices by providing individuals with specific rights regarding their own personal data.
Under the GDPR, businesses must have a good reason or lawful basis to collect personal data and they must clearly communicate this to individuals before doing so. The GDPR is clear on what exactly those reasons are and any collection of personal data done without a lawful basis is considered unlawful.
It's important for businesses to keep in mind the spirit of the GDPR. Many North American businesses were not aware of the implications of the new regulation until it was too close to the deadline while others have been scared to even consider complying - one of the reasons why some local web sites started blocking European web traffic when GDPR came into effect last month.
Privacy compliance is a continous process that takes time and definitely did not end on May 25, 2018. Just because you did not meet the GDPR deadline does not mean that you should not consider privacy in your business. After all, small businesses in North America now have a brief window to catch up using the GDPR as a benchmark before Canadian or US regulations change themselves.
It's not all doom and gloom
With all the scaremongering, people have overlooked that the rights under the GDPR are not absolute and there are certain guidelines in place that give businesses some exceptions. For example, out of the list of reasons for businesses to collect personal data, the most relevant for many private sector businesses are:
Explicit Consent (e.g. 'opt-in')
Contract (e.g. a purchase made with financing terms)
Legal Obligation (e.g. sales tax reporting obligations)
Legitimate Interests (e.g. need for market analysis, protection of intellectual property)
Assuming your terms and policies are clear and you do have one of these valid, documented reasons to collect personal data, then certain rights may not apply to those individuals. The table below breaks down the rights available to each reason (X meaning not available):
UK Information Commissioner's Office
Guide to the General Data Protection Regulation (GDPR)
Lawful Basis for Processing
This is particularly important regarding the most explicit requests (e.g. right to erasure). It is still unknown how exactly regulators will handle overlapping requirements - for example, in the odd situation where an individual has the right of erasure BUT a business also has an obligation to keep proof of their handling of the request AND communicate to the individual that it is complete. How does one communicate to somebody who is erased??! Some GDPR resources say that communicating erasure is not required if it is impossible to do so or requires disproportionate effort but these uncertainties is exactly why we suggest addressing more obvious rights first and waiting for best practices over times with explicit rights lest you over-engineer a solution that isn't necessary.
Example of when you don't need additional consent
There are many possible business cases and companies will need to get legal advice on which lawful bases qualify for their business but remember that if your purpose changes you may still be able to continue processing under the original lawful basis if your new purpose is compatible with your initial purpose. This is an example on the European Commission web site:
"A bank has a contract with a client to provide the client with a bank account and a personal loan. At the end of the first year the bank uses the client’s personal data to check whether they are eligible for a better type of loan and a savings scheme. It informs the client. The bank can process the data of the client again as the new purposes are compatible with the initial purposes....If the same bank wanted to share the client’s data with insurance firms, based on the same contract for a bank account and personal loan, that processing wouldn't be permitted without the explicit consent of the client as the purpose isn’t compatible with the original purpose for which the data was processed."
Examples of what GDPR may change in your business
Based on the rights and reasons involved, you can expect the GDPR to affect most of the following or more in your business processes:
How you record and track any personal data for leads, customers, suppliers and employees.
How you keep, store, transfer and delete personal data.
How you request for identification to verify an individual.
How you request, manage and record consent and the withdrawal of consent.
How you design your web site and your marketing tools.
How you record transactional data or customer interaction, especially if it contains sensitive personal details.
The wording of your employee contracts.
The wording of your supplier contracts.
The wording of your Terms of Service Agreements with customers.
How you market to existing, new and potential customers if you use personal data to reach customers and personalize marketing materials.
How you manage who has access to personal data (e.g. who can export or import, etc.)
How you manage your suppliers that have access to your data.
Which suppliers you choose to work with based on their privacy practices.
How you manage your IT security and IT staff.
How you manage requests to withdraw consent, erase or port personal data.
How you manage potential data breaches.
Now, if you're a small business in North America, you don't need to lose any sleep yet. Many non-European companies are waiting to see how EU regulators will interpret GDPR. At the same time, it's likely that EU regulators and complainants that do file extra-territorial lawsuits will initially focus on large recognizable brands to set a strong legal precedent so smaller businesses will remain under the radar until this "low-hanging fruit" is picked.
What should I do as a small business in the new privacy environment?
There's no point stressing out over the fact that you have missed the GDPR deadline. The best thing you can do right now is start on the process so that you protect your reputation with customers and be prepared when the US or Canadian government changes local privacy regulations. After all, regulators and customers everywhere would rather see that you have a plan and that you’re working on improving rather than giving up or saying "it doesn’t apply to me."
Rome wasn't built in a day
For many small businesses, even knowing where the data of their customers and other people is stored is already hard. This is especially true nowadays with so much data being used and so many integrated systems. For most of us in North America, we're just starting to consider how best to handle privacy in our day-to-day operations.
To make it easier, we've listed 8 basic steps for you below to help you get started on your GDPR journey (download our checklists). These 8 steps are not enough for compliance with GDPR, but they are a step in the right direction. Only you can decide the data risks you are willing to take with your business but hopefully this will help you clarify what those risks are.
1) Do a Privacy Audit for Personal Data
Download our checklists to make a detailed spreadsheet or summary of where you keep and collect personal data in your business.
2) Check if you currently handle European Personal Data
If you do already handle sensitive European personal data, we would recommend that you get further legal assistance as the GDPR does already require that you comply. Another good reference is the 12-step GDPR plan on the UK Information Commissioner's Office web site
3) What reason(s) do you have for collecting Personal Data?
Determine what lawful basis you have to collect personal data. Consent? Contract? Legal Obligation? Legitimate Interests?