26 Nov Does my small online booking service need to worry about the GDPR?
The European Union’s General Data Protection Regulation (GDPR) will be coming into effect on 25th May 2018. It’s a wide-ranging piece of legislation, with maximum fines of up to €20 million or 4% of annual turnover.
The law is primarily aimed at keeping big businesses in check, reigning in their powers to collect data on millions of people without their consent. And, it’s about giving power back to consumers.
The GDPR may also affect your small business too – even if you’re not based in the European Union. This is because the GDPR affects any company that collects personal information of citizens of EU countries. Above all, this means customers, but it also covers current and former employees.
A huge number of businesses still haven’t prepared for the GDPR – so it’s sensible to get educated before it’s too late.
What’s covered by the GDPR?
The GDPR means that if you collect personal data on EU citizens, you need to take some extra steps in terms of how you manage that data. ‘Personal data’ stretches to a lot of things:
- Name, address, date of birth
- Gender, sexual orientation, religion, ethnicity
- Email address
- IP address
- More here
Many small businesses might be collecting more of this data than they realize. Say you run a consulting service over the internet. All the information you receive from your customer that you write down or otherwise record – their bank details, their business activities, their name and address – all count as personal data.
The regulation takes a lighter approach to small businesses, and you’re less likely to be scrutinized. All the same, many businesses will be affected if:
- They regularly process personal data
- Fail to report a data breach where personal data was stolen or exploited within 72 hours to the relevant authorities
- Fail to provide information to customers about what they will do with their data
- Refuse to hand over data they hold on a customer when requested (a ‘subject access request’)
- Refuse to delete data they hold on a customer when asked to (the ‘right to be forgotten’)
How to prepare for the GDPR
Small businesses can take a few simple steps to become GDPR-ready:
- Review how you store client information – keep it in a secure, password-protected environment
- Write up a policy document which you share with clients explaining what you do with their data, telling them how they can access it if they choose to
- A similar document needs to be circulated to your employees
- Delete any data that you don’t really need
For more straightforward tips on growing your online service business, check out our blog.