Your Requirements — A Small Business Owner’s Guide to the GDPR

The regulation is to be enacted on May 25, 2018 and designed to protect data of citizens in the European Union. Penalties for breaking the regulation include 4% of worldwide turnover or €20 million — whichever is higher.

What kind of data?
GDPR applies to data that is collected, processed, and/or stored in Europe, regardless of where the data is gathered. It covers two types of data:

• Personal data — Personal data is anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.
  
• Sensitive data — Sensitive data is anything that the EU judges to be more private than a name. Some examples are, your ethnic origin, religion, sexual preferences, politics or your criminal history.
  

Who is affected?
This regulation applies to:

• People who collect data in the EU.
  
• Someone whose data is being collected in the EU.
  
• A company outside the EU that is collecting data from an EU citizen.
  
• So, if you run a business in the United States, but have one customer in the EU, GDPR still applies to you.
  

What should business owners be aware of?
The web relies on data in order to function. As a business owner who either does business in the EU, or does business elsewhere but has customers using their website from the EU, here are a few tips to keep in mind:

• If you own an online business IN the EU, assume that at some point the data you collect and store will be transferred outside of the EU and its approved countries.
  
• If you own an online business OUTSIDE of the EU, assume that the data you collect and store will be that of an EU citizen.
  
• Never ask for more data than you require from your users.
  
• Always ask permission before collecting data from your users — users should be able to assume their privacy is being respected. Do this with a Terms and Conditions consent form, or short message written in plain language that is easy for the user to understand. You may have seen these in the form of: “by visiting this site you are agreeing to…”
  
• Explain what you are collecting, how it will be used and who else will have access to it.
  
• Allow users to opt-out and never pre-check consent boxes. So, if you have a Terms and Conditions form and an “I Agree” checkbox, have the user make the decision to check that box. If you use a service to distribute marketing or notification emails, ensure there is an “unsubscribe” link available in each email.
  

Conclusion
Although enacted by the EU, because of the nature of the web and data usage, the GDPR affects those doing business online in the US as well. If you’re interested in learning more, about GDPR, here are a couple additional sources. As an online business owner, your users’ (as well as your own) privacy and security should be a top priority. If you have questions about how your website collects data from users, or have any security concerns at all, reach out to your web designer. If that’s us, give us a call — we’d be happy to help you out!