The European GDPR affects your Small Business in the Vendée
The LAST thing we want to do is to bore you with technology, but as the In the Vendée website is here to marry tourism in this beautiful area with your small business such as B&B, gites, campgrounds, restaurants, bars and any other hospitality or other business you may be the proud owner of .... the General Data Protection Regulation DOES affect you.
The law has been in effect for nearly five months now. Many websites are still not in compliance.
The General Data Protection Regulation (GDPR), known as Regulation (EU) 2016/679, is “a regulation by which the European Parliament, the Council of the European Union, and the European Commission intend to strengthen and unify data protection for all individuals within the European Union.” This regulation has been there since April 2016, with the intention for it to become enforced starting 25th May 2018. Its tentacles are far reaching for your business presence online, including changes in the way entities like Facebook and Google will want to do business with you.
THE GOAL OF THE GDPR
The main goal of the GDPR is that the rights of the Data Subject are protected. The responsibility for protecting the Data Subject’s rights is placed with both the Data Controller and the Data Processor. By following the GDPR regulations and putting the appropriate measures in place, the Data Controller and the Data Processor are in compliance. The regulation to protect the data rights of EU residents is far reaching. The rules apply to everybody, even small business with less than 250 employees, and even companies outside the EU in a role of Data Controller or Data Processor for EU Data Subjects.
You are responsible for Data. This responsibility is not optional. The amount of responsibility you have, and the role you fulfill, is clearly defined by this regulation.
If your business practice is older than these new regulations, it’s time for a revision. Because, the repercussions for non-compliance are fines (up to 20 Mil. Euros or 4% of your income, whichever is higher) as well as compensation claims in the event of a data breach. A breach is to be reported within 24hrs, to no more than 72hrs.
WHICH MEASURES YOU CAN PUT IN PLACE, TO ENSURE COMPLIANCE?
- Install “fair processing notices”on your website notifying individuals of the GDPR and their personal data rights in clear, concise text. Inform the website user or Data Subject, about how their data is collected, what it is being used for, how long it should be retained, how and where the data is stored.
- Double opt-in for newsletters(by using a service like Mailchimp, with easy opt-out and that extra confirmation email after sign-up, incl. reference to the GDPR)
- Get organised.Know how and where your data is stored, and how it is processed (e.g. newsletter via Mailchimp). You might even prepare a document on your pc that addresses this issue, so that you are ready to respond… because…
- ...the GDPR ensures a right of access to the data you hold on customers (or employees.) Be prepared to reply to access requests within one month.
- The Data Subject has a right to be erased.
- Keep the personal data you collect to a minimum.Consider having comments/discussion on social media pages only rather than your website.
- Once more: understand your rolewithin the scope of the GDPR regulation, and your responsibilities
- Employee awareness and training: ensure that your employees know about the GDPR as well.
- Think you don't store any personal data? Think again; if you operate a website you are almost certainly storing the IP address of visitors, which is considered personal data. Even if you store data like email addresses in a spreadsheet, this regulation applies to you!
- SSL is also in line with the GDPR, which recommends security from the beginning and throughout.
The General Data Protection Regulation has been created to protect the rights of the Data Subject. We are ALL a Data Subject in one way or another. The vendors you do business with must adhere to the same regulation. We are all responsible. Which means that no matter how small or large your business, due diligence is in order.
First order of business is to understand the different roles encompassed in the law. That of Data Subject, Data Controller and Data Processor.
For the complete article in which the regulation and are roles within it are well-explained, and to download your eBook with a comprehensive summary explanation and a complete to-do list, please click here.
Share this Post