The GDPR requires businesses to protect the personal data and privacy of natural persons (not corporations) who reside in the EU. Any company that handles or processes “personal data,” or monitors the behavior of EU residents must comply. Potential penalties are substantial: Up to 4% of a company’s annual global revenue. Does your small business have to comply with GDPR?
Companies that do business in European Union countries must comply with GDPR rules for protecting “personal data” by May 18, 2018. The General Data Protection Regulation (GDPR) defines “personal data” as information used to directly or indirectly identify the data subject. If your small business complied with the EU’s 1995 data privacy guidance, achieving GDPR compliance should not be a problem. If you have not integrated data privacy protection into your operations, however, you will find it expensive and challenging to achieve GDPR compliance.
small businesses have flexibility to determine how to comply with the GDPR
As a threshold matter, the regulation is so new that neither the courts nor regulatory agencies have formally interpreted GDPR standards. Small businesses are free to choose how to achieve GDPR compliance. For example, the GDPR requires companies that process personal data to provide a “reasonable” level of protection. Regulated business must consider and balance the following factors to determine a reasonable level of protection:
- potential harm that could arise from a data breach,
- cost of protection, and
- value to society, the economy, and the individual that collecting, processing, and archiving the data is likely to provide.
So long as you can demonstrate a good faith effort to implement reasonable protection, imperfect or incomplete compliance is unlikely to trigger a penalty. A regulated company must therefore document its analysis of the required factors.
the primary place of business will not determine whether or not you must comply with the GDPR
If your company acquires, stores or processes personal information about EU citizens, it must comply with the GDPR. Specific criteria include:
- A business presence in an EU country, or
- Processing and storing personal data of EU residents, or
- Offering goods or services to EU data subjects, or
- Monitoring the behavior of an EU resident and processes personal data related to such monitoring.
GDPR compliance is thus determined by the type of data that is collected, processed, relied on, and stored. Determining whether your company must comply with the GDPR is without regard to where you’re based, where you operate, or where your servers are located. To learn more, visit The Practical Compliance Lawyer.