You own an online shop that’s growing, even though it’s still operated from home. It has started receiving orders from all over the world, including from European countries, such as Denmark, Sweden, and Belgium.
Also, you publish a weekly e-mail newsletter about happy and satisfied customers and other inspiring stories. There are more than 35,000 newsletter subscribers now. Both the online store and the e-zine take off well with 3 to 5% growth every month.
You’re positive that in the next few months, you’d be able to rent a warehouse to keep excess inventory and might even hire a full-time employee. In other words, the business growth is positive, and you’re optimistic that more customers will flock from all parts of the globe.
OK, that’s the excellent news. However, are you prepared to comply with the General Data Protection Regulation (GDPR)?
Many U.S.-based business owners think that GDPR only applies to international companies that sell products and conduct businesses overseas, not for small enterprises. They are wrong. GDPR applies to all companies of all legal formats, including sole proprietorships, that deal with EU and UK-based clients. This new data protection law went into effect on May 25, 2018.
The following are 5 regulations about GDPR that every business owner must apply.
- Customers are allowed to see and delete their personal data.
- Any data breach must be notified to customers within 72 hours.
- Information regarding data protection and privacy rights must be written in a language that most laypeople can understand.
- Appoint a person who is responsible for GDPR enforcement, if the business deals with a significant amount of personal data.
- Privacy must be held in the highest regard and be used as the all-encompassing “principle.”
In addition, there are at least 10 critical facts about GDPR that makes it the first of its kind in data protection.
1. GDPR applies to all companies that deal with personal data owned by EU citizens and residents.
2. The definition of “personal data” in GDPR includes any data that can be used to identify an individual, including any genetic, cultural, social, political, economic, and mental information.
3. To use any personal information, GDPR requires all companies to request for valid consent from data owners.
4. In organizations with core activities that deal with a large scale of data, GDPR requires the appointment of a data protection officer (DPO).
5. GDPR requires data controllers to execute privacy impact assessments (PIA) where the risk for privacy breaches are high, in order to minimize risks to data subjects.
6. In any event of data breach, the organization is required to notify the local data protection authority and the data subjects within 72 hours of discovering.
7. An organization must honor the data subject’s request to be forgotten. Thus, all data pertaining to the person must be deleted promptly.
8. In the past, the liability for processing data is the responsibility of the data controllers. GDPR has changed that and now all organizations that touch personal data are liable.
9. GDPR requires that privacy is included by design. This means any business activity involving data must be assumed that the privacy is honored, which includes the capability of erasing data completely.
10. In the past, every European country has its own data protection authority. With GDPR, it has become a one-stop shop, which simplifies the process of lodging complaints and supervisory activities.
Now, what are the consequences for not adhering to GDPR rules? There are 2 tiers of administrative penalties.
- Up to 10 million Euros or 2% annual global turnover, whichever is higher.
- Up to 20 million Euros or 4% of annual global turnover, whichever is higher.
As a business owner, regardless of its size, it’s recommended to follow the GDPR guideline, just to be on the safe side. Be sure to check with an EU representative service provider if it may be necessary for your business to appoint a representative. If you’re looking for a how-to reference book, here it is: GDPR Fix It Fast: Apply GDPR to Your Company in Ten Simple Steps (Brentham House Publishing, 2017).
