One of the most common lies in modern times? “I have read and agreed to the terms and conditions”. Plus, if anyone really had as many cookies as we agreed to in an average hour of browsing the web, there’d be a whole new health problem emerging.
It might all seem futile from a user perspective. Nobody reads all those terms and conditions or cookie agreements because ‘nobody cares’—until there’s a data breach.
Then, businesses are under attack from all sides. Bad press, customers turning their backs, and governments ready to punish them with fines.
It seems harsh, but with the value that lies in data, it all makes sense. Data is the new gold and oil, and it needs to be protected.
Especially for small businesses, this can seem like a hassle. The fast-paced world of small businesses is difficult enough to navigate without having to worry about regulatory compliance, data, and privacy.
As a small business owner, you’re tasked with ensuring that your business stays up and running. On top of that comes remaining in compliance with the ever-expanding list of regulations, such as the European Union’s General Data Protection Regulation (GDPR) and California’s Customer Consent Act (CCPA). Sigh.
These laws also recently introduced new complexities and requirements for small business owners operating within their jurisdictions, as if they weren’t complicated enough yet.
In addition to these new laws, small business owners are also required to comply with federal laws and regulations, such as the Fair Credit Reporting Act (FCRA) and the Fair and Accurate Credit Transactions Act (FACTA), which have been in place for years.
All of these laws and regulations can seem overwhelming, especially for small business owners operating on a limited budget.
In this article, we’ll zoom in on the GDPR and CCPA. First, we’ll help you understand what they’re all about, before we give some practical tips on how to handle compliance. Want to learn more? Read on about how to safeguard your small business data next!
Why do the GDPR and CCPA exist?
These regulations are designed to protect consumers while ensuring that they’re fairly represented in the data collection and use process.
However, small business owners are often overwhelmed by the sheer number of laws that they’re required to comply with. Let’s look at what the main players, the GDPR, and the CCPA, really entail.
What is the CCPA?
The California Consumer Privacy Act (CCPA), colloquially known as the “Data Privacy Bill,” is a new law that requires businesses to be transparent about how they use their customers’ personal data.
The name “Data Privacy Bill” is a bit of a misnomer; while the law does require businesses to disclose their data collection practices, it also contains several other provisions that affect small businesses.
These provisions require businesses to obtain consent from consumers before using or selling their personal data, and they also prohibit businesses from collecting certain types of personal data without the customer’s
The goal of the CCPA is to protect the data privacy rights of consumers, while also requiring certain businesses to provide their customers with transparency and control over their data.
The CCPA is the most comprehensive data privacy law in the United States, and has the potential to fundamentally change the way businesses interact with their customers.
The CCPA applies to businesses with at least one California resident, and who collect, use, and disclose customer information for any purpose.
If you are looking for more specific information, Osano has shared some helpful information on remaining compliant with the CCPA. In clear and concise language, you’ll learn all about the practicalities of the CCPA. For now, here are some tips to get you started with compliance.
What is the GDPR?
The General Data Protection Regulation (GDPR), sometimes referred to as the General Data Protection Law (GDPR), is the most recent major EU legal instrument to regulate the use and collection of personal data to protect the privacy of EU residents.
It requires companies that operate in the EU to comply with certain standards regarding the protection of personal data. It does so by codifying the fundamental principles of fair information practices, including the right of data subjects to access their personal data held by data controllers.
When most people think of the GDPR, they think of it in terms of how it will affect businesses. In reality, the GDPR protects consumers, too.
Does the GDPR only impact EU businesses?
No, the GDPR is a regulation that protects EU data rights, but it also has major implications for businesses that operate across borders. It applies to any business that handles the data of EU citizens, regardless of where the business is located.
How does the GDPR affect small businesses?
Yes, the GDPR is a complicated set of laws, but don’t panic: by understanding what it’s all about, and the tips that follow, you too can become and remain compliant.
This can be a tall order for some businesses, especially if their main focus is not on data management. Regardless of their size or their primary focus, all businesses must comply with the GDPR in order to avoid hefty fines.
What you really need to know about the GDPR (in easy language)
The full text of GDPR contains 99 individual articles. We understand you’re not going to read all of that, word for word. Even if you do, you might not remember or even comprehend everything.
Luckily, there’s a simpler summary. The GDPR revolves around seven main principles: lawfulness, fairness and transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality (security); and accountability.
Here’s what they entail.
Lawfulness, fairness and transparency
You can only process personal data if you have a solid reason for it, which summarizes lawfulness. Some of the reasons can be:
- The user has given you consent to do so.
- You must do it to make good on a contract.
- It’s necessary to fulfill a legal obligation.
- For the protection of vital interests of a natural person.
- It’s a public task done in the public interest.
You also have to be fair about why you’re doing this, and transparent.
The reason you collect and store data extends to the principle of purpose limitation, meaning data is “collected for specified, explicit, and legitimate purposes” only.
The purpose needs to be clear, not just to yourself, but also through consumers -so you need to communicate what is happening in a privacy notice. Finally, you can also not deviate from that purpose.
You don’t need to ask subscribers to your newsletters what their phone number is. Only collect the data you need.
The data you collect and store needs to be accurate, and that is your responsibility. You need to check it and get rid of incorrect or incomplete data. This benefits everybody!
You can’t store data forever. You have to limit the time you store data, and justify why you’ve chosen that length of time
Integrity and confidentiality
It’s up to you to keep the data you collect safe from internal and external threats.
Last but not least: you have to take accountability and be able to prove how you’re working on compliance. This evidence can be requested by the authorities at any time, so make sure to properly document what you’re doing.
Tips on becoming and remaining compliant—even as a small business
So, now you understand what all the fuss is about, it’s time to become complacent. Here are some steps and tips you shouldn’t miss.
- Create and maintain a list of all your data processing activities and document them: start off by thinking long and hard about what data is actually in your possession, and what you will be collecting in the future.
- Understand your obligations as an organization: which rules apply to you? There are countless laws out there and it can be difficult to find out which one your business falls under. Don’t hesitate to reach out to an expert to make sure you’re not complying with the wrong laws.
- Ensure that your employees are aware of their obligations: data protection and compliance is a team effort. Every person carries the responsibility. You can also consider if you need to appoint a Data Protection Officer (DPO).
- Make sure that you have an agreement with your third-party providers about how they use customer data, or use software that helps you keep track of this.
- Use a tool to do the heavy lifting: A privacy platform software can help you keep track of all your data, and any updates in vendor agreements. Doing this manually has become nearly impossible without the amount of data being processed.
How confident are you in your compliance?
When it comes to complying with all these regulations, the best advice out there is: better be safe than sorry.
Educate yourself on what needs to be done and if it seems too much to do ‘next’ to running your business, consider outsourcing it to an expert—which will always be cheaper than paying a fine!