Podcast: Play in new window | Download (Duration: 22:32 — 21.5MB)
Subscribe: Apple Podcasts | | More
Welcome to Season 1, Episode 011, of Web and BeyondCast, “GDPR for Small Business.”
(If you’re reading this in a podcast directory/app, please visit http://webandbeyondcast.com/011 for clickable links and the full show notes and transcript of this cast.)
According to Verizon’s 2018 Data Breach Investigations Report, “58% of malware attack victims are categorized as small businesses.” And, in the 2017 Cybercrime Report by Cybersecurity Ventures, they note that “cybercrime damages will cost the world $6 trillion annually by 2021.”
It’s with this general risk in mind that the European Union started the process of updating its already-existing Data Protection Directive from 1995, and enacted the General Data Protection Regulation. Or, as some of you might have heard it as its acronym, GDPR. I’ll call it GDPR for the rest of this episode.
I’ve gotten many questions about this topic, so in today’s episode, I’m going to do a deep-dive into:
- What is GDPR? Who Does GDPR Apply to?
- What Are the Key Provisions of GDPR for Small Business?
- What Actions Should You Take To Be and Stay GDPR-Compliant?
Disclaimer: None of this should be taken as legal advice. I’m trying to give an explanation of a highly complex, evolving extraterritorial law, and additional laws, and if you have specific questions about your situation and the laws that impact your business, you should seek licensed legal counsel in your jurisdiction.
If you’d like to discuss this episode, please click here to leave a comment down below (this jumps you to the bottom of the post), or feel free to contact me here about any other questions or comments.
In this Cast | GDPR for Small Business
Ray Sidney-Smith, Host
Show Notes | GDPR for Small Business
Resources we mention, including links to them will be provided here. Please listen to the episode for context.
Key Terminology:
Subject – a living, natural person (so corporate/business entities, governments or anything other than a living human being don’t count under GDPR)
Personal Data – any data that can identify a subject directly or indirectly, so some common forms of Personal Data are a living person’s name, address, phone number, date of birth, and tax identification number. But, it encompasses any data that fits this category. Anonymous data does not apply.
Personal Sensitive Data, or Sensitive Personal Data – a class of Personal Data, that should be subjected to a higher level of protection, includes “data consisting of racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation.”
Data Controller – a person or entity “which…determines the purposes and means of the processing of personal data”
Data Processor – a person or entity which processes personal data on behalf of a Data Controller
Key Provisions:
Data security versus Data Privacy – chain link fence versus a 10’ solid brick wall.
GDPR applies to customers and employees of your business.
- Right to Consent …for the data you collect about your customers and employees. This includes access to that data.
- Right of Access …to the data about you.
- Right to Portability …exportable and in a useable format.
- Right to “Rectification” …fix inaccurate data or request data not be used any longer.
- Right to Erasure …aka right to be forgotten …erasure of subject’s data upon request.
All of these aforementioned requests from data subjects are to be responded within 30 days and you cannot charge them for it–it must be free-of-charge.
- Right to be Informed …in the event of a data breach, that “is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.” (Source)
For more on the rights of data subjects, see:
What Actions Should You Take To Comply and Stay Compliant with GDPR for Small Business?
- Assign a Data Protection Officer (DPO) (someone dedicated to knowing GDPR and focused on GDPR compliance on a day-to-day basis).
- Start listing all systems that house data about your customers and employees, and include what data vendors also hold of your customers and employees. You must be able to share that with identified subjects and legal authorities upon request.
- You’re a data controller (DC) (most likely if you’re the business) and you need to make a list of all data processors (DP); get an agreement with each one to make sure you have technical capabilities and business processes, or if no agreement, at least know how the business processes work in the event someone requests data erasure or access, or an incident occurs. This information is usually in the Privacy Policy or Terms of Use/Service on a data processor’s website.
- Understand how you transfer data between you and third parties (processors, vendors, etc.) (If that data is crossing international borders, make sure to look at Privacy Shield Framework). Formalize this information in a Privacy Policy, Disclaimer and/or Terms of Use/Service on your Web properties where subjects can see it.
- Make a list of all the types of data (literally, a list of all the field names that are personal data (PD)) in your systems.
- Can automated data collected be erased? Edited if inaccurate? Ported/exported (data portability) in a useable format to a subject?
- Are you getting permission for marketing programs? Can you provide authorities documentation of user opt-ins? (No pre-checked opt-ins. Past subscribers who didn’t opt-in must be qualified. Subscribers should be able to unsubscribe easily, too.)
- Audit your data security controls in place. What do you need to be more secure? Then, create a data protection, awareness and education program for employees, vendors, and customers.
- Encrypt your website data (SSL/TLS encryption) and that of any data processors. According to Intersoft Consulting’s guide on GDPR,
Encryption of personal data has additional benefits for controllers and/or order processors. For example, the loss of a state of the art encrypted mobile storage medium which holds personal data is not necessarily considered a data breach, which must be reported to the data protection authorities. In addition, if there is a data breach, the authorities must positively consider the use of encryption in their decision on whether and what amount a fine is imposed as per Art. 83(2)(c) of the GDPR.
- Also note, “92.4% of malware is delivered via email,” according to Verizon’s 2018 DBIR. Make sure you are doing all you can to mitigate malware, phishing and other attacks targeted at your email.
- Create a data breach and crisis response plan. (Know what you are going to do in the 72 hours from the time of the breach, including reporting to authorities within those 72 hours.) Make a clear list of…
(1) what to do in the event of a data breach, and
(2) who to contact and how you will contact them?
- Create a data retention policy for all data…on all devices and paper records in the business. Are you collecting, and sharing with third parties, only what you need? And, for how long? Update your documentation for employees and audit that you are actually deleting personal data and sensitive personal data you don’t need on a regular basis.
Best Tool of the Week | GDPR for Small Business
WP GDPR Compliance plugin (free)
Other WordPress GDPR compliance plugins
Raw Text Transcript | GDPR for Small Business
Raw, unedited and machine-produced text transcript so there may be errors, but you can search for specific points in the episode to jump to, or to reference back to at a later date and time, by keywords or key phrases.
Read More
Voiceover Artists 0:00
Welcome to web and beyond cast where small business comes to learn about marketing and managing on the web and beyond with your host Ray Sidney-Smith.
Ray Sidney-Smith 0:10
Hello there small business owners, entrepreneurs and community Welcome to season one episode 11 of web and beyond cast. According to Verizon’s 2018 data breach investigations report, 58% of malware attack victims are categorized as small businesses. And then the 2017 cyber crime report by cyber security ventures. They note that cyber crime damages will cost the world $6 trillion annually by 2021. So it’s with this general risk in mind that the European Union started the process of updating its already existing Data Protection Directive from 1995 and enacted the general data protection regulation. Or as some of you might have heard it as its acronym, GDPR. I’ll call it GDPR for the rest of this episode, so that you have some perspective, the timeline for this actually started back in 2016, subsequent to the 1995 Data Protection Directive. So in May of 2016, the regulation entered into force, it’s not until May 25, 2018, that has provisions became directly applicable in all member states, Member States being all of the jurisdictions within the European Union. That is, they gave us all two years after the regulation went into force and effect. Finally, as of July 20, 2018,
GDPR became valid in the European Economic Area or the EEA countries which include Iceland, Liechtenstein and Norway. So here we are now today in October, and I get many questions about GDPR. So in today’s episode, I’m going to do a deep dive into what is GDPR? Who does GDPR apply to? Also what are GDPR key provisions for small businesses? And finally, what actions should use take to be and stay GDPR compliant? First, none of this should be taken as legal advice. I’m trying to give an explanation of a highly complex evolving extraterritorial law and additional laws. And if you have specific questions about your situation, and the laws that impact your business, you should seek licensed legal counsel in your jurisdiction. Next, I’d like to start with why should you care? because in essence, this law that is supposed to be for EU citizens? Why should it matter to you? Well, there are actually several reasons that I’d like to go over with you. In essence, data privacy and security are very scary topics to a lot of people. And we want to think about this from the consumer perspective. So you as a consumer, you want data privacy and security. People want it to people around you want it to. And thankfully, when you do show strong data, privacy and security for your customers that builds trust, and with trust, you get a competitive advantage. And so many businesses are ignoring GDPR today, the United States that putting your GDPR compliance upfront can really work to your advantage from even a marketing perspective. Next, it’s just the right thing to do. As I said before, do you want your data private and secure? Of course, you do you want Microsoft and Google and Apple and all the other companies that you come into contact with throughout your day, whether that be financially or otherwise, to keep your data private and secure as you plan it to be? Why shouldn’t you keep others data private and secure than as well. Finally, it makes your own systems more private and secure so that you actually have less risk with your own technology and business data. quoting from a USA Today article. cyber threat is huge for small businesses written by the inimitable Steve Strauss according to ups, capital cyber attacks costs small business between $84,100 and $148,000, 60% of small businesses go out of business within six months of an attack. 90% of small businesses don’t use any data protection at all for company and customer information. Almost two thirds of all cyber attacks are now directed at small business. I sincerely urge you to not just listen to this episode, but to tell all your colleagues and small business friends that they need to pay attention. There’s no doubt in my mind that this will sting many businesses in the coming future. So with that, I’m hoping this episode will help get you started on the road to GDPR compliance. So let’s get into what GDPR actually is, and its key provisions that matter to your business and understanding GDPR it’s really important for us to understand some terminology. So I’m going to go over the five major terms that I’ll be using throughout the episode that will be useful to you and understanding how to become GDPR compliant. First and foremost is the word subject or data subject. A subject is a living natural person. So corporate business entities, governments or any other thing doesn’t count under GDPR. Next up personal data. personal data is any data that can identify a subject directly or indirectly. So some common forms of personal data are living persons name, address, phone number, date of birth, and say Tax Identification Number, but it encompasses any data that fits into this category. Anonymous data does not apply next, personal sensitive data or sensitive personal data, I’ve seen it listed both ways sensitive personal data is a class of personal data that should be subjected to a higher level of protection, which includes, and I’m quoting here from the regulation data consisting of racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health, or data concerning a person’s sex life or sexual orientation and quote, a data controller, a data controller is a person or entity which determines the purposes or means of the processing of personal data. In essence, a data controller is likely you the business or the business owner. And finally, is the data processor. And a data processor is a person or entity which processes personal data on behalf of the data controller. So typically, this is going to be a vendor or a software provider on the internet that provides data processing on your behalf. But it doesn’t have to necessarily be on the internet for it to apply in terms of GDPR. So for example, your accountant might use accounting software, they are considered a data processor, and you were considered the data controller, I think it’s important here to stop and talk a little bit about data secure, and data privacy here, so that you have some understanding about what these terms are, I use an analogy of a chain link fence, a curtain and a 10 foot solid brick wall. Okay, here we go. So data security is the idea of taking a plot of land and putting a chain link fence around that piece of property. So with a chain link fence, you have security, the property is safe from people say, getting in, because there’s the fence around it. If we go over to now, data privacy, we could think about erecting a set of curtains around the piece of property, right, just big, tall curtains, and we could set up curtains that run the entire perimeter of the property. But it doesn’t provide any data security, anyone can walk through the curtains and walk directly onto the property. So it’s giving you data privacy, but not security. And then finally, we have the 10 foot solid brick wall, a 10 foot solid brick wall is going to not only give you security, no one’s going to be able to penetrate the solid brick wall. But now we also get privacy because people can’t actually see in reasonably into the property. This helps you understand the difference between data security and data privacy. And we want both we want the 10 foot solid brick wall GDPR gives these rights to EU citizens as well as UK citizens. So anyone who is a UK or EU citizen that is utilizing your website and or your services, in essence, is covered by GDPR. So it doesn’t matter where they are. It just matters that they are EU or UK citizens. So who does GDPR apply to GDPR applies to your customers and employees. And really anyone who visits your website and collects data who happens to be an EU or UK citizen, it doesn’t apply to them only when they’re in the EU or in the UK. So at any given time, your website or your data systems could be collecting data about EU and UK citizens. And therefore you need to universally apply GDPR and stay compliant so that you don’t get bitten. Unbeknownst to you. I’d also add that going back to my PowerPoints about people want it, I think it’s really important for you to do this for all of your business customers and employees. It shouldn’t matter that they’re EU or UK citizens. And I’ll talk about that at the end GDPR gives certain rights to the subject. And what the GDPR says is that these rights are inherent, they are given to you as a birthright. So data privacy and data security are human rights. And so those human rights are merely being identified within GDPR, similar to the way that in our United States Constitution, our rights are inalienable, but they are outlined there in the Constitution and the Bill of Rights, I’m going to identify six of the major rights that really affect you as a business owner, there are additional rights data subjects, and I put links to those in the show notes. So let’s go through these one by one. First up is the right to consent, that is for the data you collect about your customers and employees. And you should include access to that data, which is right number to the right of access to the data about your subjects. So a subject has a right to access to their data, they not only have it right have access to their data, but number three is a right to portability. That is, they should be able to ask you that is request from you their data to be exported, and they should be able to receive it in a usable format. That is, it can’t just be gobbledygook, you need to be able to give it to them in a format that they can use elsewhere number for a right to rectification. If a data subject comes to you, and recognizes that there is inactive data about them on your systems, they have a right to ask you to fix that inaccurate data or request data not be used any longer. And that brings us to number five, the right to a ratio. It’s also called the right to be forgotten, and a subject can ask for the ratio of their data upon request. All of these aforementioned requests from data subjects are to be responded within 30 days, and you cannot charge them for it, it must be free of charge. And finally, six the right to be informed in the event of a data breach. That is your data systems in some way, shape, or form have compromised their data, that quote is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay. And quote, those are the six kind of fundamental rights that have been outlined within GDPR and you should become fairly familiar with them going forward. Now that I’ve covered the key provisions and who GDPR applies to, I do want to cover 10 things that you as a business owner can do today to get started in becoming GDPR compliant and staying GDPR compliant. Because GDPR compliance isn’t just checking off a couple of boxes, and then you’re done. And you can just walk away from it, you really do need to be vigilant. This is requiring all of us business owners to start implementing GDPR in the ways in which we can throughout our business. Again, like I said, this is going to make all of us stronger. Together, I’ve written out this checklist on the podcast show notes, so you can feel free to go over there and copy and paste this for later. So you don’t need to scribble down all these notes as I’m giving them to you. Number one, assign a data protection officer or dp, oh, this is either someone in your business or someone that you hire outside. as a consultant who’s dedicated to knowing GDPR and especially focused on GDPR compliance. on a day to day basis, you need to have a data protection officer so that you can have someone who can be in charge of focusing on all of the various moving parts that there are as it relates to GDPR compliance. Number two, start listing all systems that house data about your customers and employees and include what data vendors also hold on your customers and employees, you must be able to share that with identified subjects and legal authorities upon request. Number three, most likely, if you’re the business owner, you’re the data controller or the DC and you need to make a list of all data processors or DPS, you need to get an agreement with each one of them to make sure you have technical capabilities and business processes in place. And if there’s no agreement, at least know how the business processes work. In the event someone requests data ratio, access or correction or if a data incident occurs like a data breach. This information is usually in the privacy policy or Terms of Use and or service on the data processors website. Number four, understand how you transfer data between you and third parties, that is processes, vendors, etc. If that data crosses international borders, make sure to look at the Privacy Shield framework and I put a link to this in the show notes, you’ll need to make sure that you get self certified through the Privacy Shield framework, formalize this information in a privacy policy disclaimer, and or Terms of Use and or service on your website properties where subjects can see it. Number five, make a list of all the types of data literally a list of all the field names that are personal data in your systems. Number six, can automated data collected be erased? Can it be edited? If it’s an accurate, can it be ported and or exported in a usable format to a data subject? Number seven? Are you getting permission for marketing programs? Can you provide authorities documentation of user opt ins that is no pre checked option boxes are allowed. You need to have them affirmatively check those boxes so that you can have a record that a person has desired to be on your marketing lists. Past subscribers who didn’t opt in must be qualified subscribers should be able to unsubscribe easily as well. So you need to go back to all of your email and figure that all out. Number eight, audit your data security controls that you have in place for the business, what do you need to be more secure than create a data protection awareness and education program for employees, vendors and customers. I know this can sound daunting, but it’s as easy as just taking basic data protection, awareness and education to the people who are coming into contact with personal data. If you need have someone on the outside, who’s more familiar with data protection, data security, data privacy and have them come in and talk to your employees, vendors and customers. It’s going to make you all more secure. One really easy thing you can do is encrypt your website data that is using an SSL certificate on your website. Using TMS encryption. You can talk to your website host website, domain registrar or otherwise to start the process and that have any data processors for example, if you are connected to a service on your website, you want to make sure that they’re also SSL encrypted. According to interest soft consulting guide on GDPR, which is linked in the show notes. Quote, encryption of personal data has additional benefits for controllers and or order processors. For example, the loss of a state of the art encrypted mobile storage medium, which holds personal data is not necessarily considered data breach, which must be reported to the data protection authorities. In addition, if there is a data breach the authority specific positively consider the use of encryption and the decision on whether and what amount of fine is imposed as per article at three to see of the GDPR. I’d also like to make a point here that the GDPR has an upper fine of 20 million euros. OK, so the maximum fine is basically enough to put you out of business. So this is not to be played with also note 92.4% of malware is delivered via email according to horizons
that that data breach inspection report that I mentioned at the top of the show, make sure you are doing all you can to mitigate malware, fishing and other attacks that are targeted at your and your employees. Email. Number nine, create a data breach and Crisis Response Plan. Know what you’re going to do in the 72 hours from the time of the breach, including reporting to authorities within those 72 hours, make a clear list of one what to do in the event of a data breach and to who to contact and how you will contact them. These need to be clear plane instructions, you know, printed on paper so that you are readily and capable of following those instructions. Because emotions are high, it’s usually chaotic, and you want to be able to have an appropriate response plan in place number 10. And finally, create a data retention policy for all data that is on all devices, including paper records in the business paper does count in GDPR, are you collecting and sharing with third parties only what you need and for how long are you collecting them, update your documentation for employees and audit that you are actually deleting personal data and sensitive personal data you don’t need on a regular basis, the frequency is up to you, you need to determine your own risk. And again, you should talk to your licensed legal counsel for the most appropriate advice for your business. But this doesn’t end here. GDPR is the start. California recently enacted Bill 8375, the California consumer Privacy Act of 2018, and Colorado’s governor signed into law on May 29, the protections for consumer data privacy act, and it went into effect on September 1, 2018.
So Californians and Coloradans now have different laws that are impacting the way in which you should be processing their personal data, more laws will come and Congress or the Supreme Court of the United States will need to act so that businesses across the state and around the world don’t have to abide by hundreds of different jurisdictions laws. And that brings us to the best tool of the week for this week I wanted to give you have a tool that will hopefully make GDPR compliance a wee bit easier and if you are running a WordPress website, which most small businesses do and if you don’t, I apologize contact me and maybe I have some tools in my my bookmarks that can help you out if you are not on WordPress, but the tool I’m going to be talking about this week is called WP GDPR compliance plugin. And what this is, is a free plugin that’s available in the WordPress directory just in your WordPress dashboard, click on plugins add new type in WP space GDPR space compliance. And again, there’s a link to this in the show notes. And what it does is it gives you a whole host of tools that assist you as a website or an e commerce website owner to comply with the data protection regulation. Okay, so you can go through and follow it. And it brings you almost into compliance across the board for your website. So it can make becoming GDPR at least easier across a whole series of measures. Check it out. There are other WordPress GDPR compliance logins and I put a link to that in the show notes so you can check that out. I hope that makes making at least your website a little bit more GDPR friendly and hopefully compliant in the future and that’ll help the whole process move forward. This won’t be the last time we’re talking about data privacy and protection here on weapon beyond cast but you have your work ahead of you right now. From the list of items I detailed again that lists available there at weapon beyond cast.com forward slash 011011 is the episode number so weapon beyond cast.com forward slash 011 there Feel free to leave comments or questions there on the podcast episode page you can click on the Contact button on the podcast website there you can ask a direct question with us suggest a topic you’d like web and beyond cast to cover in a future episode as well if you feel so inclined please leave a rating a review on Apple podcast and or iTunes or Stitcher this helps us know how we’re doing and it encourages apple and other podcast directories to display weapon beyond cast to more listeners so it increases our listening community so thank you and thanks for listening to web and beyond cast where small business comes to learn about marketing and managing all the web and beyond I’m your host Ray Sidney-Smith until next time, here’s to your small business success on the web and beyond.
Like this:
Like Loading...
Related
As an update, a GDPR-style privacy law may be coming to the States in 2019, per https://www.engadget.com/2018/11/28/us-privacy-law-gdpr/