Welcome to Season 1, Episode 011, of Web and BeyondCast, “GDPR for Small Business.”
(If you’re reading this in a podcast directory/app, please visit http://webandbeyondcast.com/011 for clickable links and the full show notes and transcript of this cast.)
According to Verizon’s 2018 Data Breach Investigations Report, “58% of malware attack victims are categorized as small businesses.” And, in the 2017 Cybercrime Report by Cybersecurity Ventures, they note that “cybercrime damages will cost the world $6 trillion annually by 2021.”
It’s with this general risk in mind that the European Union started the process of updating its already-existing Data Protection Directive from 1995, and enacted the General Data Protection Regulation. Or, as some of you might have heard it as its acronym, GDPR. I’ll call it GDPR for the rest of this episode.
I’ve gotten many questions about this topic, so in today’s episode, I’m going to do a deep-dive into:
- What is GDPR? Who Does GDPR Apply to?
- What Are the Key Provisions of GDPR for Small Business?
- What Actions Should You Take To Be and Stay GDPR-Compliant?
Disclaimer: None of this should be taken as legal advice. I’m trying to give an explanation of a highly complex, evolving extraterritorial law, and additional laws, and if you have specific questions about your situation and the laws that impact your business, you should seek licensed legal counsel in your jurisdiction.
If you’d like to discuss this episode, please click here to leave a comment down below (this jumps you to the bottom of the post), or feel free to contact me here about any other questions or comments.
In this Cast | GDPR for Small Business
Ray Sidney-Smith, Host
Show Notes | GDPR for Small Business
Resources we mention, including links to them will be provided here. Please listen to the episode for context.
Subject – a living, natural person (so corporate/business entities, governments or anything other than a living human being don’t count under GDPR)
Personal Data – any data that can identify a subject directly or indirectly, so some common forms of Personal Data are a living person’s name, address, phone number, date of birth, and tax identification number. But, it encompasses any data that fits this category. Anonymous data does not apply.
Personal Sensitive Data, or Sensitive Personal Data – a class of Personal Data, that should be subjected to a higher level of protection, includes “data consisting of racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation.”
Data Controller – a person or entity “which…determines the purposes and means of the processing of personal data”
Data Processor – a person or entity which processes personal data on behalf of a Data Controller
Data security versus Data Privacy – chain link fence versus a 10’ solid brick wall.
GDPR applies to customers and employees of your business.
- Right to Consent …for the data you collect about your customers and employees. This includes access to that data.
- Right of Access …to the data about you.
- Right to Portability …exportable and in a useable format.
- Right to “Rectification” …fix inaccurate data or request data not be used any longer.
- Right to Erasure …aka right to be forgotten …erasure of subject’s data upon request.
All of these aforementioned requests from data subjects are to be responded within 30 days and you cannot charge them for it–it must be free-of-charge.
- Right to be Informed …in the event of a data breach, that “is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.” (Source)
For more on the rights of data subjects, see:
- Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation
- Rights of data subjects – GDPR
What Actions Should You Take To Comply and Stay Compliant with GDPR for Small Business?
- Assign a Data Protection Officer (DPO) (someone dedicated to knowing GDPR and focused on GDPR compliance on a day-to-day basis).
- Start listing all systems that house data about your customers and employees, and include what data vendors also hold of your customers and employees. You must be able to share that with identified subjects and legal authorities upon request.
- Make a list of all the types of data (literally, a list of all the field names that are personal data (PD)) in your systems.
- Can automated data collected be erased? Edited if inaccurate? Ported/exported (data portability) in a useable format to a subject?
- Are you getting permission for marketing programs? Can you provide authorities documentation of user opt-ins? (No pre-checked opt-ins. Past subscribers who didn’t opt-in must be qualified. Subscribers should be able to unsubscribe easily, too.)
- Audit your data security controls in place. What do you need to be more secure? Then, create a data protection, awareness and education program for employees, vendors, and customers.
- Encrypt your website data (SSL/TLS encryption) and that of any data processors. According to Intersoft Consulting’s guide on GDPR,
Encryption of personal data has additional benefits for controllers and/or order processors. For example, the loss of a state of the art encrypted mobile storage medium which holds personal data is not necessarily considered a data breach, which must be reported to the data protection authorities. In addition, if there is a data breach, the authorities must positively consider the use of encryption in their decision on whether and what amount a fine is imposed as per Art. 83(2)(c) of the GDPR.
- Also note, “92.4% of malware is delivered via email,” according to Verizon’s 2018 DBIR. Make sure you are doing all you can to mitigate malware, phishing and other attacks targeted at your email.
- Encrypt your website data (SSL/TLS encryption) and that of any data processors. According to Intersoft Consulting’s guide on GDPR,
- Create a data breach and crisis response plan. (Know what you are going to do in the 72 hours from the time of the breach, including reporting to authorities within those 72 hours.) Make a clear list of…
(1) what to do in the event of a data breach, and
(2) who to contact and how you will contact them?
- Create a data retention policy for all data…on all devices and paper records in the business. Are you collecting, and sharing with third parties, only what you need? And, for how long? Update your documentation for employees and audit that you are actually deleting personal data and sensitive personal data you don’t need on a regular basis.
Best Tool of the Week | GDPR for Small Business
WP GDPR Compliance plugin (free)
Raw Text Transcript | GDPR for Small Business
Raw, unedited and machine-produced text transcript so there may be errors, but you can search for specific points in the episode to jump to, or to reference back to at a later date and time, by keywords or key phrases.Read More
Voiceover Artists 0:00
Welcome to web and beyond cast where small business comes to learn about marketing and managing on the web and beyond with your host Ray Sidney-Smith.
Ray Sidney-Smith 0:10
Hello there small business owners, entrepreneurs and community Welcome to season one episode 11 of web and beyond cast. According to Verizon’s 2018 data breach investigations report, 58% of malware attack victims are categorized as small businesses. And then the 2017 cyber crime report by cyber security ventures. They note that cyber crime damages will cost the world $6 trillion annually by 2021. So it’s with this general risk in mind that the European Union started the process of updating its already existing Data Protection Directive from 1995 and enacted the general data protection regulation. Or as some of you might have heard it as its acronym, GDPR. I’ll call it GDPR for the rest of this episode, so that you have some perspective, the timeline for this actually started back in 2016, subsequent to the 1995 Data Protection Directive. So in May of 2016, the regulation entered into force, it’s not until May 25, 2018, that has provisions became directly applicable in all member states, Member States being all of the jurisdictions within the European Union. That is, they gave us all two years after the regulation went into force and effect. Finally, as of July 20, 2018,
that that data breach inspection report that I mentioned at the top of the show, make sure you are doing all you can to mitigate malware, fishing and other attacks that are targeted at your and your employees. Email. Number nine, create a data breach and Crisis Response Plan. Know what you’re going to do in the 72 hours from the time of the breach, including reporting to authorities within those 72 hours, make a clear list of one what to do in the event of a data breach and to who to contact and how you will contact them. These need to be clear plane instructions, you know, printed on paper so that you are readily and capable of following those instructions. Because emotions are high, it’s usually chaotic, and you want to be able to have an appropriate response plan in place number 10. And finally, create a data retention policy for all data that is on all devices, including paper records in the business paper does count in GDPR, are you collecting and sharing with third parties only what you need and for how long are you collecting them, update your documentation for employees and audit that you are actually deleting personal data and sensitive personal data you don’t need on a regular basis, the frequency is up to you, you need to determine your own risk. And again, you should talk to your licensed legal counsel for the most appropriate advice for your business. But this doesn’t end here. GDPR is the start. California recently enacted Bill 8375, the California consumer Privacy Act of 2018, and Colorado’s governor signed into law on May 29, the protections for consumer data privacy act, and it went into effect on September 1, 2018.
So Californians and Coloradans now have different laws that are impacting the way in which you should be processing their personal data, more laws will come and Congress or the Supreme Court of the United States will need to act so that businesses across the state and around the world don’t have to abide by hundreds of different jurisdictions laws. And that brings us to the best tool of the week for this week I wanted to give you have a tool that will hopefully make GDPR compliance a wee bit easier and if you are running a WordPress website, which most small businesses do and if you don’t, I apologize contact me and maybe I have some tools in my my bookmarks that can help you out if you are not on WordPress, but the tool I’m going to be talking about this week is called WP GDPR compliance plugin. And what this is, is a free plugin that’s available in the WordPress directory just in your WordPress dashboard, click on plugins add new type in WP space GDPR space compliance. And again, there’s a link to this in the show notes. And what it does is it gives you a whole host of tools that assist you as a website or an e commerce website owner to comply with the data protection regulation. Okay, so you can go through and follow it. And it brings you almost into compliance across the board for your website. So it can make becoming GDPR at least easier across a whole series of measures. Check it out. There are other WordPress GDPR compliance logins and I put a link to that in the show notes so you can check that out. I hope that makes making at least your website a little bit more GDPR friendly and hopefully compliant in the future and that’ll help the whole process move forward. This won’t be the last time we’re talking about data privacy and protection here on weapon beyond cast but you have your work ahead of you right now. From the list of items I detailed again that lists available there at weapon beyond cast.com forward slash 011011 is the episode number so weapon beyond cast.com forward slash 011 there Feel free to leave comments or questions there on the podcast episode page you can click on the Contact button on the podcast website there you can ask a direct question with us suggest a topic you’d like web and beyond cast to cover in a future episode as well if you feel so inclined please leave a rating a review on Apple podcast and or iTunes or Stitcher this helps us know how we’re doing and it encourages apple and other podcast directories to display weapon beyond cast to more listeners so it increases our listening community so thank you and thanks for listening to web and beyond cast where small business comes to learn about marketing and managing all the web and beyond I’m your host Ray Sidney-Smith until next time, here’s to your small business success on the web and beyond.
Latest posts by Ray Sidney-Smith (see all)
- Cyber-Resilience for Small Business: An Overview of the NIST Cybersecurity Framework - October 13, 2020
- Is a Franchise Right for You? What Can You Learn From Franchising? With Faizun Kamal - September 3, 2020
- Google Is Integrating Social Features in Google My Business, and Other Google Small Business News - August 13, 2020