If you own or work at a small business and your firm is a data processor or data controller of private data belonging to European Union citizens, your company will be subject to the General Data Protection Regulation (GDPR), just like multinational firms. However, not all of the regulations might apply to you. The office of Ireland's Data Protection Commissioner (DPC) published a document designed for Irish “microenterprises” that can serve as guidelines for U.S. companies.
The document, titled Personal Data Security Guidance for Microenterprises under the GDPR, is targeted at companies that have fewer than 10 employees with annual revenue of less than €2 million, or roughly $2.5 million in U.S. dollars. There are four key issues you need to be aware of to comply with GDPR.
The first item is to know what kind of data you have. “Personal data” is defined under Article 4 of the GDPR as any information relating to an identified or identifiable natural person (a “data subject”). Personal data would help someone identify a person based on a name, identification number, location, online identifier such as a screen name, a physical description of the person, or such identifiers as a physiological, genetic, mental, economic, cultural or social identity of the person. For example, if someone were described as “the tall, bald fellow who lives in the green house across from the library in Anytown, North Dakota,” that could be sufficient data to identify a specific person. In fact, GDPR drills down and gets even more specific about personal data in Article 9 of the rule. The full text of the GDPR can be found here.
In Article 5 of GDPR, it addresses how you are processing such data. For example, the DPC asks, are you using it in the following ways?
· According to the principles of lawfulness, fairness, and transparency;
· For specified, explicit and legitimate purposes; with a view to data minimization;
· With a view to ensuring accuracy and, where necessary, that data is kept up to date;
· Such that data are kept in a form which permits identification of data subjects for no longer than is necessary for the purposes of processing; and
· In a manner that ensures appropriate security of the personal data.
If you outsource the processing of personal data to a data processor, such as a cloud-based service provider, you need to able to confirm that the processing is compliant with Article 28 of the GDPR; the processor's security procedures are adequate; and you have sought and been given assurances regarding the appropriate security measures from the processor.
The second component is to determine the appropriate level of data security. The rule says you need an “appropriate” level of security for the data. To the EU, one size fits none. The level of security another company has might not be appropriate for you, even if you are in the same business. Here are some items to consider:
· Is your security: state of the art? You don't necessarily need leading-edge technology unless the risks require it.
· What is the cost of implementing and the nature of the scope of your security? What is the context and purposes of processing the private data? Finally, you need to consider “the risk of varying likelihood and severity for the rights and freedoms of natural persons."
The regulation goes into considerable detail about technical, organizational and physical security. Make sure you understand the details laid out in Article 32 of the regulation.
The third component are the data collection and retention policies. Businesses in the U.S. and Europe look at data collection and retention differently. Traditionally in the U.S., companies collected as much data as they could about people with the idea that at some point they would decide how to use it.
One need only look at the legal battles and debates following the realization that UK-based political research firm Cambridge Analytica collected personal data of 50 million Facebook users. As of this writing, it is unclear as to how many of those were EU residents, but simply collecting the data without asking permission and then storing it for later use likely would have been a serious breach of GDPR had the rule been in effect at the time the action took place. Based on Facebook's worldwide revenue of $27 billion, the potential fine potentially could have surpassed $1.1 billion, had GDPR been in effect at the time and EU citizens were caught up in the sweep.
Here's a simple rule of thumb: If you do not need private data for a valid business purpose, delete it. A valid business purpose, for example, is having a person's street address and credit card information so that you can process a purchase for them.
Many U.S. firms keep a lot of unstructured data about individuals in databases and customer relationship management applications, such as customer preferences, information about their families and perhaps personal notes or observations about working with a customer. That kind of data can be problematic under GDPR.
Here are some tips from the Irish DPC:
Define and implement a data collection policy. The policy should detail the categories of personal data collected and the purposes for collection. Also, define and implement a data retention policy. This policy should detail the retention period for personal data collected and measures taken to ensure deletion or if applicable, the techniques to render the data non-identifiable.
These policies should be communicated to all employees and periodic reviews should be conducted to ensure that personal data is handled correctly when it is no longer needed for the purposes for which it was collected.
Finally, the DPC recommends keeping close track of its third-party data processors, such as e-commerce web sites and cloud-based service provides, which offer the proverbial fill-in-the-blank as a service. Small businesses need to “define the responsibilities of the data controller and data processor and ensure that processing is carried out on foot of a written agreement detailing the appropriate technical security and organizational measures to be applied by the data processor specifically in relation to the personal data processing operations.” In addition, they need to “Obtain sufficient guarantees regarding the security measures applied by processors acting on their behalf and periodically review to ensure that the terms of the written agreement are being adhered to.”
This is just scratching the surface of the resources provided by the DPC and other websites of the EU and individual government agencies across the continent. You can find more recommendations from Ireland's DPC office about GDPR here.