GDPR for SMBs: the basics you should not skip
The GDPR applies to every company, not only the large ones. If you handle personal data, it concerns you. A simple customer list is enough. The good news is that the basics are simple to understand. Here is what matters for an SMB.
What is the GDPR, in plain terms?
The GDPR is the European regulation on the protection of personal data. Personal data is any information that identifies a person. A name, an email, a phone number, an IP address. As soon as you collect it, you have obligations.
The data you handle without thinking about it
Many SMBs underestimate what they collect.
- Customer and prospect records.
- The CVs you receive for a hire.
- The emails and contact forms from the site.
- Staff data.
- Cookies and visit statistics.
Listing this data is the first step.
The principles to follow
The GDPR comes down to a few simple ideas.
- Only collect what you need.
- Say clearly why you collect it, and what it is for.
- Keep the data as long as needed, not forever.
- Protect it against loss and theft.
- Do not share it without a legal basis.
Consent
For certain uses, like a newsletter, you need the person's consent. Consent must be free, clear and active. A pre-ticked box is not enough. The person must be able to say yes, and also to withdraw their agreement easily.
People's rights
Your customers have rights over their data. The right to access it. To correct it. To have it deleted. You must be able to answer these requests within a reasonable time. Plan who handles them in your company.
Security, at the heart of the GDPR
Protecting data is part of your obligations. Strong passwords, two-factor authentication, limited access, tested backups. In case of a serious breach, you often have to report it to the data protection authority, sometimes within 72 hours.
Where to start
Four concrete actions for an SMB.
- List the data you handle, and why.
- Update your notices and your privacy policy.
- Secure access and backups.
- Train your teams in the right habits.
The GDPR is as much about organisation as about technology. We help you take stock and secure your data. Explore our IT consulting and audits, or get in touch.
This article gives practical pointers. It does not replace legal advice suited to your situation.