On May 25, 2018, the GDPR , the General Data Protection Regulation , came into force and immediately caused major problems. In principle, the GDPR applies to all types of companies – regardless of whether they are a huge company with 2000 employees or a simple small business. The question that arises particularly for small companies is and was that of the feasibility of the provisions. Because, especially at the beginning, nobody knew exactly what small business owners should be aware of. Ignorance can be dangerous, because non-compliance with the provisions of the GDPR can result in huge penalties.
Definition: what does the GDPR say?
The GDPR regulates how you have to deal with customer data and how you have to protect it. At the same time, however, there are also new information requirements, regulations on e-mail advertising and so-called procedural directories.
If you want to know in detail what is in the GDPR, you can read the Official Journal of the European Union here.
When does the GDPR apply?
The GDPR came into effect on May 25, 2018. It applies to the self-employed, doctors, dentists, tax consultants, lawyers and actually every company that has to do with customers. So both small businesses and large companies such as AGs, GmbHs and other legal forms.
What are the consequences of the GDPR for companies?
The consequence of the GDPR is that entrepreneurs have to work more on their data protection. If a company is already ISO certified, then it already has a good basis for the new regulation. But even in this case you have to check whether all regulations of the GDPR are being adhered to. Namely, they are not identical to the ISO certifications.
You can see how important it is to strictly follow the regulations in the consequences: If a company does not comply with the regulations of the GDPR, it runs the risk of receiving high fines.
Because according to the GDPR, the supervisory authorities can or must distribute fines. These fines are imposed in addition to certain conditions. Such conditions can be orders to end the violation, an adaptation of the data processing or the right to a temporary or definitive ban.
The fines to be imposed must in any case be dissuasive and proportionate and are therefore relatively high. In the case of particularly serious violations of the regulations, penalties of up to 20 million euros or up to 4% of the annual turnover are due.
Definition of small business
Micro , small and medium-sized enterprises are defined in EU Recommendation 2003/361. The definition of a small business depends on the number of people employed, turnover and total assets per year.
According to this, a company is a small business if it has no more than 49 employees, a turnover of up to 10 million euros per year and a balance sheet total of up to 10 million euros per year.
What do I have to consider as a small business owner with the GDPR?
If you are a small business owner, then you will probably ask yourself what you have to pay attention to now. For this reason we have put together the most important rules and regulations for you.
It is now the case that it is no longer enough to implement data protection within the company. Because in case of doubt – i.e. if an authority wants to check the implementation of the provisions – you must be able to provide evidence of this.
You can do this best with appropriate documentation. For this it is recommended, if your resources allow it, to appoint an employee as data protection officer.
GDPR obligations for small business owners
The safest way to drive is if you assume that the GDPR prohibits everything with regard to data collection and storage. Unless you can find a rule that specifically allows certain things. What you can use as a guide in any case: The GDPR requires that small businesses limit data collection to a minimum.
It is important that you make sure that this declaration is not incorrect. If someone notices that it is incomplete, they may face high fines.
In addition, you should definitely plan a lot of time and some money to adapt your company to the GDPR. Because creating the necessary basics for the GDPR takes a lot of time and is usually not very cheap.
Usually you start by analyzing your business and company processes in order to be able to say where personal data is being collected.
Often you can’t do this on your own and it is often necessary to get external people to help you adjust your data protection. This has another advantage: This procedure saves you time and you are legally protected if you let a professional do your data protection. On the other hand, of course, you have to pay for that. The investment can, however, be worthwhile – not only when you think of the penalties that threaten if you breach the GDPR.
Procedure for a data protection compliant small business
If you are now wondering how you can make your small business compliant with data protection, we have put together a few useful tips for you. Because as an entrepreneur, it is your first duty that you adhere to the regulations. Not only because otherwise you could face fines. Companies that are lax with their customers’ data are quickly suspected of not working professionally. And that is exactly what can cost you customers – and ultimately cash too.
Where in the company is personal data processed?
First you should ask yourself where in the company personal data is stored and collected. Because all this data will be of great relevance for the implementation of the GDPR regulations. The best thing to do is to make a precise plan in advance of how you can best proceed in a structured manner. Because in this step you should really identify all the places where you collect personal data. If you forget something, it can later fall on your feet.
A good tip is the so-called “privacy by design” procedure. This principle states that only the most necessary data is saved from the start. For example, if you want to reach your customers by email, you shouldn’t also save their phone numbers. This is irrelevant for your purposes and only leads to more work if in doubt.
What is the reason for saving the data?
Basically, you can only collect data that you actually need. So always ask yourself the reason for which you need this data from your customers. If you can’t think of a good reason straight away, you shouldn’t save it. By the way, what you should definitely not forget is your customers’ consent to the storage of their data. If this is missing, you also have a big problem.
How can the data be stored most securely?
You are also responsible for the security of the stored data. So you have to make sure that the data cannot be stolen or leaked to third parties. For example, data transmitted over the Internet must be encrypted. If you also process data from third parties, then you have to conclude data processing contracts with these companies.
How can the data be deleted in a timely manner or irrevocably at the request of the person concerned?
You must also ensure that your customers’ data can be irrevocably deleted upon request. Backups that contain customer data must also no longer be accessible. It is best to come up with an exact storage plan for this purpose. There you record which data you have stored where. By the way, it’s best to do it in analog form. For example, with a conventional file. You can still access the plan if you lose all of your data.
GDPR declaration of consent
Ultimately, the customer concerned still has to consent to the data processing. This is done through a declaration of consent. Such a declaration must be made voluntarily, for a specific case, after sufficient information has been given to the person concerned and unambiguously.
Example of consent:
Your consent to the collection and processing of data by our company …
Necessary data that are collected and processed so that we can provide our services are:
- Phone number
- e-mail address
- Bank details
Your data is stored on our company’s server (company name) and can only be viewed by us.
You will receive a guarantee from us that the IT is carried out on the basis of applicable laws and that this is necessary for the conclusion of a contract. In addition, every further data collection requires a new declaration of consent from the user. Your data will be automatically deleted after (number of days / weeks / months) if your data is no longer required.
You have the right to withdraw your consent at any time without giving a reason. Submitted data can be corrected, deleted or their collection restricted at any time. You can request information from us about the scope of the data collection at any time. You can also request a data transfer if a transfer to a third party is desired.
Consequences of not signing
You have the right not to sign this consent. However, since our service is dependent on the collection and processing of your data, failure to sign would result in the order not being accepted.
You can address inquiries or complaints to the following address:
45678 Example City
Consent by the user
With his signature, the user confirms the collection and processing of his data, that he has consented to our company (company name) and that he has been instructed about his rights:
Of course, free GDPR declarations of consent can also be found on the Internet as a template for the download.
You should take into account that data protection declarations that you download from the Internet are usually very general. To be on the safe side, you should adapt these for your company and website.
Legal notice small business owners GDPR
Finally, you need to create an imprint for your company’s website. The imprint must be accessible to the user from every subpage of your homepage. An imprint is created relatively quickly and if you are unsure, you can use one of the many generators that are available on the internet. Basically, there are a few things you should keep in mind.
In addition, you can write an explanatory text. You can also find this information freely available on the Internet. However, if you want to be absolutely sure that you are not making any mistakes when creating the imprint, you can contact a specialist. There are now many lawyers who specialize in precisely these things. Here it is worthwhile to compare the costs of the service. You may still be able to save some money this way.
Differentiation between sensitive and insensitive data
The GDPR distinguishes between insensitive and sensitive data.
Sensitive data are all those that contain information on specific areas or allow corresponding conclusions to be drawn.
Such areas are for example:
|Sensitive data||Insensitive data|
|Political opinion||Cookie IDs|
|Membership in trade unions||Hashed email addresses|
|Genetic data||Mobile Advertising IDs|
It is not that easy to implement the new provisions of the GDPR. Even if not a lot of data is stored, it is essential to comply with this regulation. There is a risk of high fines for non-compliance.
If you follow a few steps correctly, you will definitely be able to transform your company into compliance with data protection regulations.
If in doubt, you can always ask an expert for help. This then costs money, but in return you save a lot of time and trouble.