The GDPR: How it Impacts Small Businesses in Florida and How to Comply
The GDPR: How it Impacts Small Businesses in Florida, Personal Data, and How to Comply
Chances are that you’ve heard of the European Union’s (EU) General Data Protection Regulation (GDPR), even if you’re stateside. But many business owners in Florida don’t realize that this massive change in regulation will impact them as well. The GDPR places new protections and restrictions on how companies can harvest the private personal data of EU citizens. Failure to comply comes with harsh penalties – even for companies that aren’t based in Europe themselves. Here’s what you need to know about the GDPR to keep from getting into trouble with our friends across the Atlantic.
What is Covered Under the GDPR?
The personal data covered by the GDPR includes anything that could identify a specific individual, including but not limited to credit card information, phone numbers, and addresses (street, email, and even your IP). This coverage isn’t just for data stored digitally – it even extends to physical documents that contain personal information, such as payment records or a client list.
Obtaining Customer Information
The GDPR requires that customers provide “affirmative consent” for the processing or use of their personal data. This means that businesses can no longer rely on “Consent to Use of Data” clauses buried beneath a mountain of legal jargon or on pre-checked boxes at the end of an overwritten Terms of Service Agreement. The customer must be informed in no uncertain terms what their data will be used for. Additionally, information collected for one purpose cannot be used for any other reason without further consent from the customer.
How to Handle Customer Information
Another new provision within the GDPR is that companies must take active measures towards safeguarding against potential personal data breaches of stored or processed data. Additionally, European customers now have what is known as a “Right to Be Forgotten.” In layman’s terms, this right entitles a customer to request the deletion of personal data that they no longer want a given company to have access to. This right does not apply to all of a customer’s data, however. Information that is irrelevant to your business must be deleted, but relevant information can still be held on to.
Potential Penalties
The GDPR’s scope means that even American business owners are subject to penalties when violating its rules. This applies to everyone from massive international corporations based out of New York all the way to solo entrepreneurs selling their crafts and wares online. These penalties are nothing to balk at: a company can be fined up to four percent of their annual global revenue or twenty million euros (about $23,349,980 American at the time of writing), whichever is amount is higher.
Third Parties
Many small business owners contract with third parties to store and process personal data on their behalf. In what will be a welcome relief to procrastinators all over, some of the larger third-party services (such as Google and Mailchimp) have been working on GDPR compliance for some time now and may already be done most of the heavy lifting. You’ll want to double-check on that, however. Your company could still be held liable if your third-party partners aren’t themselves GDPR compliant.
A Few Tips for Compliance
- Be patient. It will take time to bring your business in line with the GDPR, but the effort is worth it. It can help to appoint someone as head of your GDPR compliance efforts or to hire an outside consultant.
- One of your first actions should be to review the data that your business has already collected. Information about EU citizens could be hiding anywhere, especially for those heavily involved in e-commerce. Check and double-check your mailing lists, financial and employee records, purchase orders, or Customer Relation Management (CRM) system. Understanding the data you have is the foundation of the development of GDPR compliant policies.
- You will want to make sure that you are only collecting personal data that your business can use. Update any procedures, such as online account creation or e-commerce checkout, so that they no longer request irrelevant (and potentially fine worthy) information. Inform your customers of the ways that their data may be used in explicit detail. In anticipation of the GDPR, some mailing and e-commerce systems have set up tools to simplify this task for you.
Looking to start a business or grow your current business? Contact FL Patel Law today by visiting our website or calling (727) 279-5037.