GDPR Demystified
for Small Business Owners
What is GDPR?
The General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for collecting and processing personal information from individuals who live in the European Union (EU). The Regulation applies regardless of where websites are based, if they attract European visitors.
Taking effect in 2018, GDPR is the toughest privacy and security law in the word with steep penalties potentially reaching millions of Euros. In this article, we’ll demystify GDPR for all you small business owners out there, specifically providing healthcare and well-being services.
But before we start, here’s a cheat sheet of the important legal terms defined by GDPR and cited throughout this article. You can also check out the definitions listed in Article 4 (GDPR).
GDPR legal terms (cheat sheet)
Personal data — Personal data is any information that relates to an individual who can be directly or indirectly identified. Names and email addresses are obviously personal data. Location, ethnicity, gender, biometric data, religious beliefs, web cookies and political opinions can also be personal data.
Data processing — Any action performed on data, whether automated or manual. The examples cited in the text include collecting, recording, organising, structuring, storing, using, erasing, etc.
Data subject — The person whose data is processed. These are your customers or site visitors.
Data controller — The person who decides why and how personal data will be processed. If you’re the owner or employee in your organisation who handles data, that’s you.
Data processor — A third party that processes personal data on behalf of a data controller. GDPR has special rules for these individuals and organisations.
How important is GDPR?
GDPR improves the protection of European data subjects’ rights and clarifies how companies that process personal data must safeguard these rights. The need for data protection has never been so great since all organisations today have access to customer, website visitor and employee data.
How does GDPR affect my business?
GDPR applies to all businesses and organisations established in the EU, regardless of whether the data processing takes place in the EU or not. If your business offers goods or services to citizens in the EU, then it’s subject to GDPR too.
As private practitioners, GDPR applies to:
- Your website
- Administrative platforms such as Adminly
- Newsletters
- Email marketing/other marketing strategies
Types of data processed:
- Information about your clients such as name, interests, contact information, photos, payment information
- Client health data
- Website visitor data
Must-know data protection principles
The Regulation also includes the following seven principles of data protection that must be implemented by business owners and organisations:
Lawfulness, fairness and transparency — Processing must be lawful, fair and transparent to the data subject.
Purpose limitation — You must process data for legitimate purposes, explicitly specified to the data subject when you collected it.
Data minimisation — You should collect and process only as much data as absolutely necessary for the purposes specified.
Accuracy — You must keep personal data accurate and up to date.
Storage limitation — You may only store personally identifying data for as long as necessary for the specified purpose.
Integrity and confidentiality — Processing must be done in such a way as to ensure appropriate security, integrity and confidentiality (e.g. by using encryption).
Accountability — The data controller is responsible for being able to demonstrate GDPR compliance with all of these principles.
All organisations and companies that work with personal data should appoint a data protection officer or data controller who is in charge of GDPR compliance. As private practitioners, you are the designated data controller of your business.
How do I comply with GDPR?
The first step to complying with the Regulation is conducting a GDPR assessment to determine what personal data you control, where it’s located, and how it’s secured.
You must also adhere to the privacy principles outlined above, such as obtaining consent and ensuring data portability. Implementing other technical and operational safeguards to protect personal data, such as two-factor authentication and end-to-end encryption, is also key.
As a provider, you’ll need to:
- Map your business data. In other words, map out where all of the personal data comes from and document what you do with it.
- Determine what data you need to keep.
- Use security measures such as two-factor authentication and end-to-end encryption.
- Review your documentation of client consent.
Under GDPR, individuals have to explicitly consent to the acquisition and processing of their data. Individuals must have the right to withdraw consent at any time. This means you have to be able to prove that your client agreed to share this data and certain actions, such as receiving newsletters.
Hope this overview of GDPR proved helpful, and not too painful! Fancy reading the entire GDPR, with it’s 99 articles?
Disclaimer: This blog was not written by a lawyer and should not be considered legal advice. You should seek appropriate legal counsel for your own situation.