GDPR and Small Business

What is the GDPR?

The General Data Protection Regulation (GDPR) is new legislation enacted by the European Union intended to better protect the privacy and security of individuals located in the EU. It is the most comprehensive privacy initiative since the 1995 European Union Data Protection Directive. The GDPR completely replaces the EU Data Protection Directive. GDPR gives users more control over personal data collected and how it is used. The regulation is broad, far-reaching and affects anyone who handles personal data for individuals located in the EU. Enforcement begins May 25, 2018, and covers both new personal data, as well as legacy personal data collected prior to that date.

What are Some of the Key Changes to Data Privacy Under GDPR?

• Broader Territorial Applicability – the GDPR applies to any company processing the personal data of persons in the EU, regardless of whether or not the company is located in the EU (the test being whether products or services are being offered to them, for example through a website, or their activity is being monitored in the EU).
• Consent – if you are relying on consent for the processing of personal data (consent being one ‘lawful basis for processing’) this must be intelligible, specific, and unambiguous, and, where sensitive personal data is to be processed (i.e. health information and certain other data types called “special categories” in the legislation), explicit consent is required. One example of where you will need to rely on consent is for the conducting of direct marketing by electronic means.
• Penalties – companies found to be in breach of GDPR may be subject to penalties of up to the greater of 4% of annual global turnover and €20 million and it is important to note that cloud providers will not be exempt from GDPR enforcement.
• Expansive Data Subject Rights – under the GDPR, data subjects in the EU have broad and additional rights with respect to their personal data, including among other things, the right to access, correct, port and erase such personal data (i.e. the “right to be forgotten”), and to withdraw their consent for the processing of personal data.
• Heightened Accountability Obligations – companies processing the personal data of persons in the EU need to ensure that they have documented a lawful basis for data processing activities, engage in ongoing recordkeeping of data processing activities, document their compliance with the principles set out in GDPR and notify relevant authorities of data breaches within 72 hours, and take additional steps to protect and secure personal data.
• Transparency – under the GDPR companies are required to clearly describe how they process and use personal data, with more detail including their data retention, anonymization, and deletion policies and practices. Companies will as a minimum need a privacy policy on their websites.
• Compliance – some companies may be required to hire a Data Protection Officer, while all companies are required to train employees on data privacy and ensure vendor compliance with the GDPR.
• Definition of Personal Data – the GDPR broadens the definition of personal data to include any information that can be used to directly or indirectly identify an individual, including IP addresses and device IDs. It also covers web data such as location, IP address, browser cookie data, RFID tags, health or genetic information (including bio-metric data). The GDPR also protects racial and ethnic information, political opinions and sexual orientation.

Data Collection Audit

Companies can prepare for GDPR by first reviewing existing data collection, storage and usage practices. Remember, old and new personal data is affected. To start, try answering the following questions to better understand how data flows through your organization:

• How do you collect personal data?
• On what lawful basis are you relying to collect personal data?
• What do you do with it?
• Where do you store it and for how long?
• Are you prepared to comply with data requests within 30 days?
• Are you documenting the process?

Third-party Solutions

Consider third-party solutions (such as website analytics, email marketing and customer contact tools) while reviewing your existing data collection methods. Many major solution providers have already transitioned to GDPR compliant practices. Check the provider's website for compliance details or contact them to request more information.

Next Steps

Develop policies and procedures that allow you to comply with data requests. Documentation is an important aspect of GDPR compliance. Create and maintain internal documentation of official policies and procedures for each of the data request use cases. Every business is different. Consult with a licensed attorney regarding your company's data practices.

Will Weebly be GDPR compliant by May 25, 2018?

Yes. We will be ready to process GDPR requests for our users (including third-party data that vendors and third-party apps are processors for). We will not deploy any Weebly cookies until users have chosen to opt-in on the cookie banner that will be presented to visitors. We are currently working on additional solutions to ensure personal data from persons located in the EU is kept private and secure on our platform.

Additional Resources

• The EU General Data Protection Regulation
• Key Changes with the General Data Protection Regulation
• GDPR FAQs
• TrustArc Guide to GDPR Compliance
• GDPR FAQ - Weebly Help Center

Please note, the information provided herein is for general informational purposes only and does not constitute legal advice; it has not been prepared with your specific circumstances in mind and therefore may not be suitable for use in your business. By relying on the information contained in this article, you assume all risk and liability that may result.