The General Data Protection Regulation (GDPR) is a legislation that regulates the usage and security of electronic data. The European Parliament authorized it in 2016 and it went into force for European firms shortly after. It became law in 2018 for all companies that have access to personal data of European Union residents.
How does GDPR compliance affect small businesses?
Don’t think you have no contact with EU individuals’ data just because you’re a small business that doesn’t expressly target European markets. If you have a website, there’s a good possibility that some of the traffic you get comes from European countries.
Basic GDPR terminology
The following are the most critical terms to know when you assess your GDPR for small business compliance requirements and responsibilities:
Personal Data: Any information that can be linked to a specific person is referred to as personal data. In the United States, the term “personally identifiable information (PII)” has the same meaning.
Data processing: Any action taken on or with personal information. This includes gathering, deleting, storing, sharing, and changing information.
Controller: The controller is the company that decides why and how user data is processed. This usually refers to the organization that is collecting the data.
Processor: A company that a controller hires to process personal data.
Data subject rights under the GDPR
The GDPR ensures that EU citizens’ personal data is protected, regardless of where they live. Compliance with the GDPR entails preserving the following eight fundamental rights:
Right of access: Every EU resident has the right to obtain a copy of the data that a firm holds on them as a person, as well as any information that can help them understand how and why this data is used, and whether that use is legal.
Right to be informed: Data subjects have the right to demand that a controller reveal how they use personal data.
Right to restrict processing: Individuals have the right to advise organizations how they may or may not use their data.
Right to data portability: Data subjects must be able to get their personal information in an accessible format or have it transferred to another controller under the right to data portability.
Right to object: EU citizens have the right to request that a corporation stop processing their personal data.
Right to rectify: Data subjects have the right to have inaccurate or incomplete personal information updated.
Right to non-automated decision-making: Data subjects have the right to refuse to be subjected to legally binding decisions based entirely on automated processing. Right to be forgotten: EU citizens have the right to request that their personal data be erased (this right is applicable only under certain circumstances).