What Small Businesses should know about GDPR

You may have noticed a ton of privacy policy emails lately. Those policies are the result of General Data Protection Regulation (GDPR), which went into effect May 25^th. It’s a new rule in the European Union that’s rewriting how companies can treat user data, and many small businesses aren’t ready for it.

While it’s totally okay not to understand the GDPR fully, let’s navigate through its most important principles, but also through the many ways Webtemple can work towards making your website more compliant with the GDPR regulations.

What Small Businesses need to know about GDPR

1. Know your data – understand what personal data you hold, where it came from, who you share it with what it was collected for, and whether it’s still relevant and necessary for the purposes you obtained it.
2. Ensure you can honour requests– under GDPR, EU citizens can request that you delete, amend, or move their data to a different organisation. You must honour these demands within one month.
3. Establish a lawful basis for processing data– under GDPR, opt-out boxes aren’t enough anymore. There are 6 different lawful bases all defined within article 6 of the GDPR official text. Processing shall be lawful only if and to the extent that at least one of the following applies::
   1. Consent: the data subject has given consent to the processing of his or her personal data for one or more specific purposes.
   2. Contract: processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
   3. Legal obligation: processing is necessary for compliance with a legal obligation to which the controller is subject.
   4. Vital interests: processing is necessary in order to protect the vital interests of the data subject or of another natural person.
   5. Public task: processing is necessary for the performance of a task carried out in the public interest or in the exercise of an official authority vested in the controller.
   6. Legitimate interests: processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party; except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
   7. Prepare for data breaches – ensure your processes enable you to notify the data protection authority of a data breach within 72 hours.
   8. Check if you need a data protection officer here – This is not always obligatory. It depends on the type and amount of data you collect, whether processing is your primary business and if you do it on a large scale.

What are the consequences of not complying with GDPR?

The maximum sanction for non-compliance with the GDPR is 20,000,000 Euros or up to 4% of your annual global turnover (based on figures from the preceding financial year), whichever is the greater. Yup, you read that right. That leads us to…

How we can help

To ensure that Webtemple websites can be GPDR compliant and meets the expectations of our clients’ clients, we have the following measures in place:

1. Cookie System

For websites in the EU region, a cookie notice banner automatically appears, allowing users to reject cookies or to limit them to 1 hour. The entire system is optional and can be enabled on a case by case basis, as deemed necessary by our clients, depending on where their visitors are coming from.

2. Built-in Privacy System

This system is built into WordPress 4.9.6. It includes a means to authenticate requests for personal data by confirming the user’s email address. It also includes a means to export and delete personal data.  We are currently working with all our solution providers on implementing this system. Right now, our e-commerce system, our accounts registration and our commenting system are covered, but we expect coverage to increase in the following months.

For small companies, GDPR may not be the top priority. But no one likes having their data misused or shared without proper consent. Doing everything you can to protect your customers and grow their trust is essential to add value to your business.

Disclaimer: It is up to you to be informed about this law and to ensure full compliance. We can provide you with the toolkit, but we can’t provide you with legal guidance. We’re here to implement the technical side of the requirements, but you may still need help with the legal aspect and should consult a privacy lawyer specializing in these matters if needed.

Do you expect the GDPR to impact your business? Let us know what you think below.