Understanding the Implications of GDPR for Your Small Business


Acquisition, handling, transmission, and storing of customer information has become as valuable as the products and services being sold by companies. Analyzing data helps determine business strategies that can put your company ahead of the competition. But all these efforts must conform and respect consumer privacy. Collecting consumer information, like names, dates of birth, telephone number, or email, must first have the consent of the consumer.

Likewise, once data is collected, a company must guarantee the protection of said data by securing its handling, transmission, and storage. Some companies take consumer data protection to the next level by getting the services of companies that provide archiving compliance solutions.

But the first step to knowing how to handle customer data best is to understand a law passed in the EU called, General Data Protection Regulation or GDPR. If this is the first time to encounter GDPR, the following discussion is for you.


Understanding GDPR

The law came into effect in May 2018 in the European Union. Simply put, it’s a set of regulations meant to protect an EU customer’s privacy and give that same customer the ability to control the collection, use, and storage of data about their person. The law, while passed in the EU, impacts the way companies all around the world conduct their business, as long as they are processing data of EU citizens.

A Belgian expatriate living in Malaysia just signed up for a local gym membership in Kuala Lumpur. That local gym must protect the data of that Belgian national in line with GDPR.


Complying with GDPR

The very first thing that your company needs to know is to fully understand the law and how it applies to your operation. Consent is the keyword. If you’re collecting information from an EU national, regardless of the place of your operation, they must first provide consent. Typically, the collection is done through a form as part of an application process. That form, whether digital or printed, should now be preceded by a “consent clause.”

  1. It starts with policy. With GDPR, companies must now create a data privacy policy on customer information. Every stakeholder within and even outside the company must be fully aware of such a policy, including the roles of “data controllers” and “data processors.” This policy must also incorporate training requirements for all employees. For example, everyone in the company must know about the need to report a serious data security breach within 72 hours to the local authority.
  2. Third-party due diligence. It’s now common practice to outsource specific business processes to third-party service providers, e.g., managing payroll of employees or building your website. This outsourcing process means that your customer data is transferred and handled by an external entity. Conduct due diligence of your third-party suppliers and ensure that they are also GDPR compliant.
  3. DPO. Larger corporations handling massive sets of information, like insurance companies, hotel chains, or telecommunication companies usually hire a Data Protection Officer. DPOs are tasked to monitor the systematic gathering of data. DPOs also lead the internal investigation of possible data breaches.
  4. Hire an expert. Cybersecurity companies and electronic records management experts are better equipped in handling compliance issues related to GDPR. Consider hiring one to assist your company.

Note as well that non-compliance will result in severe fines. Make sure that you don’t take GDPR compliance for granted. Having your customer’s trust is always a good practice for your business.

Scroll to Top