Welcome to Season 1, Episode 011, of Web and BeyondCast, “GDPR for Small Business.”

(If you’re reading this in a podcast directory/app, please visit http://webandbeyondcast.com/011 for clickable links and the full show notes and transcript of this cast.)

According to Verizon’s 2018 Data Breach Investigations Report, “58% of malware attack victims are categorized as small businesses.” And, in the 2017 Cybercrime Report by Cybersecurity Ventures, they note that “cybercrime damages will cost the world $6 trillion annually by 2021.”

WordPress Website Hosting

It’s with this general risk in mind that the European Union started the process of updating its already-existing Data Protection Directive from 1995, and enacted the General Data Protection Regulation. Or, as some of you might have heard it as its acronym, GDPR. I’ll call it GDPR for the rest of this episode.

I’ve gotten many questions about this topic, so in today’s episode, I’m going to do a deep-dive into:

  • What is GDPR? Who Does GDPR Apply to?
  • What Are the Key Provisions of GDPR for Small Business?
  • What Actions Should You Take To Be and Stay GDPR-Compliant?

Disclaimer: None of this should be taken as legal advice. I’m trying to give an explanation of a highly complex, evolving extraterritorial law, and additional laws, and if you have specific questions about your situation and the laws that impact your business, you should seek licensed legal counsel in your jurisdiction.

If you’d like to discuss this episode, please click here to leave a comment down below (this jumps you to the bottom of the post), or feel free to contact me here about any other questions or comments.

In this Cast | GDPR for Small Business

Ray Sidney-Smith, Host

Show Notes | GDPR for Small Business

Resources we mention, including links to them will be provided here. Please listen to the episode for context.

Key Terminology:

Subject – a living, natural person (so corporate/business entities, governments or anything other than a living human being don’t count under GDPR)

Personal Data – any data that can identify a subject directly or indirectly, so some common forms of Personal Data are a living person’s name, address, phone number, date of birth, and tax identification number. But, it encompasses any data that fits this category. Anonymous data does not apply.

Personal Sensitive Data, or Sensitive Personal Data – a class of Personal Data, that should be subjected to a higher level of protection, includes “data consisting of racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation.”

Data Controller – a person or entity “which…determines the purposes and means of the processing of personal data”

Data Processor – a person or entity which processes personal data on behalf of a Data Controller

Key Provisions:

Data security versus Data Privacy – chain link fence versus a 10’ solid brick wall.

GDPR applies to customers and employees of your business.

  1. Right to Consent …for the data you collect about your customers and employees. This includes access to that data.
  2. Right of Access …to the data about you.
  3. Right to Portability …exportable and in a useable format.
  4. Right to “Rectification” …fix inaccurate data or request data not be used any longer.
  5. Right to Erasure …aka right to be forgotten …erasure of subject’s data upon request.

All of these aforementioned requests from data subjects are to be responded within 30 days and you cannot charge them for it–it must be free-of-charge.

  1. Right to be Informed …in the event of a data breach, that “is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.” (Source)

For more on the rights of data subjects, see:

What Actions Should You Take To Comply and Stay Compliant with GDPR for Small Business?

  1. Assign a Data Protection Officer (DPO) (someone dedicated to knowing GDPR and focused on GDPR compliance on a day-to-day basis).
  2. Start listing all systems that house data about your customers and employees, and include what data vendors also hold of your customers and employees. You must be able to share that with identified subjects and legal authorities upon request.
  3. You’re a data controller (DC) (most likely if you’re the business) and you need to make a list of all data processors (DP); get an agreement with each one to make sure you have technical capabilities and business processes, or if no agreement, at least know how the business processes work in the event someone requests data erasure or access, or an incident occurs. This information is usually in the Privacy Policy or Terms of Use/Service on a data processor’s website.
  4. Understand how you transfer data between you and third parties (processors, vendors, etc.) (If that data is crossing international borders, make sure to look at Privacy Shield Framework). Formalize this information in a Privacy Policy, Disclaimer and/or Terms of Use/Service on your Web properties where subjects can see it.
  5. Make a list of all the types of data (literally, a list of all the field names that are personal data (PD)) in your systems.
  6. Can automated data collected be erased? Edited if inaccurate? Ported/exported (data portability) in a useable format to a subject?
  7. Are you getting permission for marketing programs? Can you provide authorities documentation of user opt-ins? (No pre-checked opt-ins. Past subscribers who didn’t opt-in must be qualified. Subscribers should be able to unsubscribe easily, too.)
  8. Audit your data security controls in place. What do you need to be more secure? Then, create a data protection, awareness and education program for employees, vendors, and customers.
    • Encrypt your website data (SSL/TLS encryption) and that of any data processors. According to Intersoft Consulting’s guide on GDPR,
      Encryption of personal data has additional benefits for controllers and/or order processors. For example, the loss of a state of the art encrypted mobile storage medium which holds personal data is not necessarily considered a data breach, which must be reported to the data protection authorities. In addition, if there is a data breach, the authorities must positively consider the use of encryption in their decision on whether and what amount a fine is imposed as per Art. 83(2)(c) of the GDPR.
    • Also note, “92.4% of malware is delivered via email,” according to Verizon’s 2018 DBIR. Make sure you are doing all you can to mitigate malware, phishing and other attacks targeted at your email.
  9. Create a data breach and crisis response plan. (Know what you are going to do in the 72 hours from the time of the breach, including reporting to authorities within those 72 hours.) Make a clear list of…
        (1) what to do in the event of a data breach, and
        (2) who to contact and how you will contact them?
  10. Create a data retention policy for all data…on all devices and paper records in the business. Are you collecting, and sharing with third parties, only what you need? And, for how long? Update your documentation for employees and audit that you are actually deleting personal data and sensitive personal data you don’t need on a regular basis.

Best Tool of the Week | GDPR for Small Business

WP GDPR Compliance plugin (free)

Other WordPress GDPR compliance plugins

Raw Text Transcript | GDPR for Small Business

Raw, unedited and machine-produced text transcript so there may be errors, but you can search for specific points in the episode to jump to, or to reference back to at a later date and time, by keywords or key phrases.

Read More
011 GDPR for Small Business

One thought on “011 GDPR for Small Business

Join the conversation!

This site uses Akismet to reduce spam. Learn how your comment data is processed.