The ABC’s of GDPR

What small businesses need to know about EU data security.

The European Union’s General Data Protection Regulation (GDPR) is a set of strong data protection laws. That might not seem like something America’s Main Street business owners needs to think about. Yet, the global reach of the Internet and social media has brought the regulation’s reach to our front door. Here’s what you need to know to protect your customer’s data and privacy – AND your business from costly fines.

What is GDPR?

The General Data Protection Regulation provides a legal framework for keeping personal data safe by requiring companies to have robust processes in place for handling and storing personal information. It’s not new; it went into effect in 2018, but it’s got teeth. There’s the potential for large fines and reputational damage for those companies who don’t comply – small businesses included.

GDPR was designed to coordinate and condense data privacy laws across all of its member countries and give greater protection and rights to individuals. General Data Protection Regulation was also created to change how businesses and other organizations handle the personal data of those that interact with them.

The Regulation isn’t made up of firm rules. Instead, it’s a framework consisting of seven key principles related to personal privacy data handling:

  • Lawfulness, fairness, and transparency
  • Purpose limitation
  • Data minimization
  • Accuracy
  • Storage limitation
  • Integrity and confidentiality (security)
  • Accountability

What kind of data does GDPR cover?

GDPR is about personal data. Broadly, it covers any information that allows a living person to be directly or indirectly identified from data. That can mean something obvious, such as a person’s name, location, or username, or it can be something less direct, such as an IP address, photos or videos, or even Google Analytics to gather data bout who visits your website.

GDPR also gives greater protection to special categories of sensitive personal data, including genetic and biometric data, health information, sexual orientation, information about racial or ethnic origin, political opinions, religious beliefs, and membership in trade organizations.

Does GDPR apply to my US-based business?

Any organization in either the private or public sector that stores or processes personal information about EU residents must comply with the GDPR, even if it does not have a physical presence within the EU.

GDPR requires organizations to make data protection a core part of their operations and processes. It’s aimed at big, data-driven organizations, but it also has important implications for small businesses here, across the pond.

If you’re a small business with a global market, GDPR means you’ve got a choice: Limit whom you do business with or follow a new set of legal duties. Before you jump to a quick decision, consider this:

Complying with the General Data Protection Regulation may not be difficult for your business and may help you use best-practice data handling policies that benefit everyone you do business with.

GDPR requirements stipulate that businesses should collect the least amount of personal data necessary for their purpose – and use it for that purpose only. So, the contact form on your website can ask for someone’s name and email to get in touch, but not their birthdate, height, or work title. Exchanged business cards with someone? You can contact them with the information on that card, but you can’t automatically add them to your mailing list unless you have their permission.

What to do about GDPR

GDPR applies to U.S. companies if they:

  • Do business in the EU
  • Don’t do business in the EU, but collect or track personal data belonging to people who are physically located in the EU (including people who are traveling in the EU but don’t normally live there).

If you don’t do business in the EU, you have two options:

  • Comply with GDPR voluntarily as a data security best practice
  • Restrict access to your website, so it can’t collect personal privacy data from people located in the EU

As regulations ramp up in the U.S. and beyond, businesses of all kinds will need to add data security to their normal operations. You can determine where you stand in minutes – take a cyber risk assessment at