Guide to GDPR for Small Business

Companies of all sizes are now operating on a global scale, so it’s important for even small businesses to understand what GDPR  means. Before you assume this policy is not relevant to you, think again…and keep reading for answers to your GDPR FAQs.

What does GDPR mean?

The General Data Protection Regulation (GDPR) replaces the outdated Data Protection Directive 95/46/EC in order to provide a high and consistent level of data protection to all EU residents. Unlike the era of the old directive, today’s fast-paced world economy calls for a stronger measure that prioritizes security. This new regulation aims to unify protection rules and safeguard personal data across borders.

GDPR will take effect beginning May 25, 2018

When does GDPR go into effect?

Enforcement of the GDPR begins 25 May 2018. It was approved and adopted by the EU Parliament in April 2016.

Which businesses does GDPR impact?

GDPR affects pretty much any global business, including:

  • Organizations that store, handle, or process personal data of EU residents
  • Data controllers, defined as organizations that collect data of EU residents
  • Organizations that process data on behalf of the data controller (data processors) of EU residents, such as cloud service providers.

Businesses must obey the regulation or be faced with hefty fines.

Does GDPR apply to businesses not based in the EU?

If you are dealing with data of EU residents, you are subject to GDPR even if your company is based outside the EU. It’s not about where your business is based. It’s about where your customers are based.

Does GDPR apply to businesses with less than 250 employees?

Yes. Small businesses should pay attention to GDPR compliance because it doesn’t matter the size of your business as much as it depends on your business’s handling of personal data. No matter the company size, GDPR applies to any company that processes or stores data of EU residents.

Additionally, some companies may be required to appoint a Data Protection Officer (DPO) or Data Protection Team to manage the secure collection and processing of personal data. DPOs are required for the following:

  • Companies that carry out large scale systematic monitoring of individuals in the EU
  • Companies that deal on a large scale with a special category of data as stated in Article 9, including:
    • Race
    • Ethnic origin
    • Political leanings
    • Sexual orientation
    • Health information
  • If it is required by national law
  • If the organization is a public authority

Some examples of small businesses that need to be GDPR compliant are health care providers, law firms, accountants, advertising agencies, and all companies with employees if they deal with data of EU residents.

If none of these stipulations apply to your small business, it is still wise to be aware of GDPR when making strategic decisions about how your company grows.

What happens if my business does not comply with GDPR?

The fines for violating GDPR are substantial. The reason the fines are set this high is so that businesses will take data privacy protection seriously. There is a tiered approach to fines.

A company can be fined 2% of its annual global revenue or 10 million euros (whichever is greater) for:

  • Not having its records in order
  • Not notifying the supervising authority and data subject about a breach
  • Not conducting a privacy impact assessment

A company can be fined up to 4% of its annual global revenue or 20 million euros (whichever is greater) if:

  • It is found in a breach of a data subjects rights and freedoms (e.g. loss of personal data)

Businesses (data controllers) are required to give a maximum of 72 hours notice of a breach. That is, a breach of security leading to the destruction, loss, alteration, unauthorized disclosure of, or access to personal data.

How can I make sure that my business complies with GDPR?

Remember this mantra: “privacy is paramount”. The key to successfully complying with GDPR is keeping your customer data secure and safe at all times. You can start by performing a data assessment and asking yourself these questions:

  • Where does the data reside?
  • What is the format of the data?
  • Is it centralized or does it live on multiple devices?
  • Why are you storing it?
  • How did you get it?
  • Do you need to keep storing it and can it be deleted or changed?
  • What kind of data are you storing?
  • Can you anonymize the data?
  • How do users access the data? Is access encrypted and secured?
  • Is the data exposed to 3rd parties?

We at Citrix recommend following these four security principles to help keep your business compliant with GDPR:

  1. Centralize apps and data in a data center or cloud. Storing data on multiple devices throughout your company creates more vulnerabilities for security breaches. Data is less likely to be compromised if it is stored within one controlled location.
  2. If sensitive data must be distributed, make sure it is protected in a secure container.
  3. Control access to resources with context-aware policies. Set permissions on your data based on user, device, location, application, and level of sensitivity.
  4. Unite IT infrastructure to deliver app & data-specific security.

Preparing for GDPR may seem daunting, especially to a small business with so many other priorities on your plate. But consider what this means for you as a consumer. Even if you are not an EU resident, the implementation of GDPR is leading the way for strengthening data privacy in our global society.

Download the whitepaper to find out how Citrix ShareFile can prepare you for GDPRClick here to read our white paper and learn more about how ShareFile can help your business get ready for GDPR.

Legal Disclaimer: This document provides a general overview of the EU General Data Protection Regulation (GDPR) and is not intended as and shall not be construed as legal advice. Citrix does not provide legal, accounting, or auditing advice or represent or warrant that its services or products will ensure that Customers or Channel Partners are in compliance with any law or regulation. Customers and Channel Partners are responsible for ensuring their own compliance with relevant laws and regulations, including GDPR. Customers and Channel Partners are responsible for interpreting themselves and/or obtaining advice of competent legal counsel with regard to any relevant laws and regulations applicable to them that may affect their operations and any actions they may need to take to comply with such laws and regulations.

About the Author

As a Senior Product Marketing Manager, Alysia Eve is passionate about how technology can improve peoples’ lives and loves working closely with customers to understand their needs. A resident of Raleigh, North Carolina, she received her Bachelor of Arts in Journalism from The Ohio State University and her MBA with concentrations in Marketing and Product Innovation Management from North Carolina State University. When she's not playing around with new technology, she loves spending time with her family and doing yoga, running, and cooking.