Privacy compliance: Action plan for small businesses as GDPR deadline nears

Compliance with the provisions of the GDPR may prove to be both expensive and cumbersome for businesses considering their limited resources.

ThinkStock Photos
While compliance with the GDPR requires a lot of time and effort, small businesses would stand to gain a business edge from complying because of mitigation of risk to the business
By Supratim Chakraborty & Sneh Lata

Businesses having a touchpoint in the EU or transacting with EU users, may already be daunted with the spectre of compliance with European Union's latest regulation - the General Data Protection Regulation (GDPR).

The GDPR's effective date of May 25 looms large over several businesses, including startups and SMEs. Compliance with the provisions of the GDPR may prove to be both expensive and cumbersome for businesses considering their limited resources. However, non- compliance with the GDPR may result in massive penalties reaching up to 4% (four percent) of annual global turnover of the preceding financial year or Euro 20 million, whichever is greater.


While flow of personal data across national boundaries has facilitated commercial prospects of businesses, it has at the same time raised concerns of privacy of personal data. A lack of standardisation in laws relating to data privacy has made it difficult for businesses to ensure that they are not in breach of any law across jurisdictions. The GDPR envisages creating a systematic regime of data protection and privacy laws within the EU. One silver lining for smaller businesses in this regard is that they are more compact than larger organisations and processes are more agile. Small businesses are therefore in a better position to ensure compliance in comparison to large organisations who are grappling with the GDPR requirements.

How does GDPR affect businesses?
The GDPR will apply to businesses which have any establishment within the EU. It would also apply where a small business is offering goods or services or monitoring behaviour of users located in the EU. Any collection of data from EU including via e-mails, cookies, website, profiling, geographical location etc. would also fall under the purview of GDPR. However, the GDPR does provide exemptions from certain compliances to businesses that have less than 250 employees.

ADVERTISEMENT
Steps towards compliance?
i. Data encryption and confidentiality - Businesses should have technology to ensure personal data collected is stored in encrypted form and also have internal mechanisms to guard against misuse by unauthorized access.
ii. Data minimization - purging the unnecessary data which is not required.
iii. Internal policies - businesses should ensure that all internal and external data collection/ data processing/ data retention policies are updated. Training sessions should be conducted to create awareness amongst the employees in relation to GDPR.
iv. Privacy policy - businesses should update existing user privacy policies to include certain information such as (i) Identity and contact details of the data collector; (ii) purpose of processing and the legal basis for such processing; (iii) legitimate interests of the business in processing personal data (where applicable); (iv) rights of users under the GDPR and right to complain to supervisory authorities; (v) details of any transfer to third country and subsequent safeguards adopted by data collectors and processors in such third country, etc.
v. Data processing agreements - businesses are required to have stipulated data protection obligations with third party processors.
vi. Consent to be user friendly - businesses need to ensure that consent forms for collection of data from the users should be in simple language so that consent can be provided by the users by a clear affirmative action and should signify agreement to the processing of personal data relating to the user.
vii. Demonstrating compliance - businesses are required to document all procedures and practices dealing with personal information of data subjects to prove compliance under the GDPR.
ADVERTISEMENT

Compliance with GDPR for Indian businesses
While compliance with the GDPR requires a lot of time and effort, small businesses would stand to gain a business edge from complying because of mitigation of risk to the business. It is also interesting to note that India will be rolling out its own data privacy regulations very soon and it may borrow certain principles from the GDPR. Thus, compliance with the GDPR could ensure compliance with Indian law to a significant extent.

ADVERTISEMENT
Supratim Chakraborty is Associate Partner & Sneh Lata is Associate, Khaitan & Co.

(Disclaimer: The opinions expressed in this column are that of the writer. The facts and opinions expressed here do not reflect the views of www.economictimes.com.)
Download
The Economic Times Business News App
for the Latest News in Business, Sensex, Stock Market Updates & More.
READ MORE
ADVERTISEMENT

READ MORE:

LOGIN & CLAIM

50 TIMESPOINTS

More from our Partners

Loading next story
Text Size:AAA
Success
This article has been saved

*

+