Teamleader Blog Article

GDPR: what it means for your small business

GDPR: what it means for your small business

Every company processes personal data. Whether you’re creating a mailing list or membership card, this is data that will be subjected to the General Data Protection Regulation. But what is the GDPR exactly? Will it change the way you do business? Which measures do you need to take? In this article, we’ll concisely and comprehensively explain what the GDPR means and how it affects small businesses.

What is the GDPR?

What is the GDPR

Data and privacy legislation haven’t changed much in the last 20 years. At the moment, companies comply with the Data Protection Directive, a European law regarding privacy and data protection dating back to 1995. That’s odd, because the world has gone through major digital transformations since then, like the rise of the cloud and social media. In a world where data exchange has increased exponentially, how can you ensure your personal data security?

The Data Protection Directive also depends strongly on national law, which results in different interpretations and applications of the directive in European countries.

With the GDPR entering into force 25 May 2018, every business located in the EU or every business processing personal data from EU data subjects, will have to comply. The whole point of the GDPR policy is to keep companies better protected and deal with security breaches. EU companies will have to comply with privacy rules across the board. This could make your expansion to other European countries easier, although you should keep in mind countries are still allowed to apply GDPR principles more strictly.

want to learn more about the GDPR and how your business should prepare? Download our free ebook


What does the GDPR mean for small businesses?

What does the GDPR mean for small businesses?

First of all, it’s important to understand which personal data your company stores or processes. An SME controls all kinds of personal data: about your staff, customers or suppliers or your day-to-day communication.

Examples of processing personal data:

  • Asking for personal details when someone creates an order on your websites
  • Retaining information about your co-workers or suppliers
  • Letting people subscribe to your newsletter on your website

Whether your business is big or small, you need to know how your company stores and processes data today and handle your data in a safe and legal way. Every business processes data: whether you host, consult, archive or even delete data - your business will have to comply with the GDPR.

When is it okay to collect personal data?

Data may only be processed if it meets one of these six legal grounds:

  • When an individual has been informed and expressed his or her consent. This consent should be informed, specific and freely given. If you’re processing explicit or sensitive data, it also needs to be unambiguous.

    Example: When people fill in an online form to request more information about your business, create a checkbox where people can opt-in, for instance “Yes, I’d like to receive promotional offers by email”.
  • If data processing is necessary for the performance of a contract, for example: a job application. This also covers the stage preceding the contract, e.g. a quotation request.
  • If it’s required to comply with legal obligation.
  • If it’s necessary in order to protect the vital interest.

    Example: Collecting medical data for emergency surgery.

  • If it’s necessary to perform tasks of public interests, like tasks carried out by government, tax authorities or the police. 

  • If you have a legitimate interest in doing so while not affecting the interests of the data subject. In this case, you often will have to ask for permission, preventing the data being used for purposes that aren’t approved by the privacy commission. 

    Example: If a potential customer initiated a relationship asking about a certain product, you’re allowed to continue the conversation, as the customer would expect this. However, there’s a time limit: a conversation started years ago is hard to class as a legitimate interest. Also, this doesn’t allow you to send them unrelated communications on other products or services you provide.

The GDPR is something that can be used to your advantage, adding value to your business. By proving to potential and existing customers your organisation complies with new laws to protect the rights of citizens (and your customers) who are in the EU, you can bring in more business. More importantly, you’ll make sure your business is ready for the future, in accordance with the law.

ebook GDPR: how your business should prepare