Skip to content

GDPR for Small Business Owners – Global Security

Last week we took a look at how to make sure you’re ready for the new GDPR (General Data Protection Regulation) rules that are due to come into force on 25th May, 2018.  As we said, there’s a lot of preparation to do for SME owners in order to comply as the new regulations require that companies protect all the personal data of their customers and employees at all stages of the processing lifecycle.  With so many businesses dealing with overseas providers and customers, it’s vital that data is protected and GDPR is European legislation that does not apply in the United States of America.

The first step is to ensure that your website has an SSL (Secure Sockets Layer) certificated that encrypts all the data entered into your website by users via form fields (such as when a user registers an account, makes a purchase or signs up for a newsletter).  However, the data may not be stored encrypted as most CMS systems (such as WordPress, Joomla, Drupal, etc.) do not do this  and you may need some customisation carried out on your site to ensure that data is stored encrypted and does not show any identifiable information in the event of a data breach.

You’ll need to take into consideration any third party data processors that are connected to your systems and ensure that they are GDPR compliant too as they will be processing data gathered by your organisation on your behalf.  These could be third parties such as Googlemail, Salesforce, Mailchimp, Facebook (if you have a company page), etc.  You will need to ensure that your Privacy Policy clearly states which third party data processors you use and where a subject’s data is passed on to.

The US equivalent of GDPR is Privacy Shield and, under European Union GDPR rules, an international adequacy decision has not been granted to the USA. Privacy Shield does not meet GDPR standards and is due to be rejected for ratification by the European Courts of Justice so third party processors from the USA which satisfy Privacy Shield requirements may not satisfy GDPR requirements.  This means that, as a business owner, you will need to reconsider using a US-based service right now if you want to remain compliant. 

For each third party data processor you use, you’ll need to check their privacy policies to ensure that they are GDPR compliant and ensure that any US-based third party processors are Privacy Shield compliant.  Make sure you hold a copy of the privacy policies of any third part data processors that you use.  Any that are not GDPR- or Privacy Shield-compliant should be contacted to find our when they expect to become compliant.

The Privacy Policy for your own business should clearly state what data you gather and how you store and use it, list the third party processors that you share the information with and the process users should follow to request sight of their data and how to have it completely deleted upon request (the Right to be Forgotten) which should be completed within 30 days of any request.

As we cover this issue in more detail in the coming weeks, make sure not to miss out on any of the vital information that you need for your business – why not follow us on Facebook or Twitter so that you’re notified of the new articles as they’re published?