Data protection

Better rules for small business

Stronger rules on data protection from 25 May 2018 mean citizens have more control over their data and business benefits from a level playing field. One set of rules for all companies operating in the EU, wherever they are based. Find out what this means for your SME.

What is
personal data?

  • Name
  • Address
  • Localisation
  • Online identifier
  • Health information
  • Income
  • Cultural profile
  • and more
Collect
Store
Use
Data?
You have to abide by the rules.

Process data for other companies?
This is for you too.

Why change
the rules?

It's about trust...

A lack of trust in old data protection rules held back the digital economy and quite possibly your business.

Only15%

of people feel they have complete control over the information they provide online.

And helping business boom...

One set of rules for all companies processing data in the EU

Doing business just got easier and fairer


New rules boost consumer confidence and in turn business.

What your company
must do

Protect the rights of people giving you their data

Communication

Use plain language.

Tell them who you are when
you request the data.

Say why you are processing
their data, how long it will
be stored and who receives it.

Consent

Consent is one of the legal grounds for processing data
(together with contract, legitimate interest, legal obligations, etc.).

If you rely on it,
consent should be given by a clear affirmative action.

Access and
portability

Let people access their data
and give it to another company.

Warnings

Inform people of data breaches
if there is a serious risk to them.

Erase data

Give people
the ‘right to be forgotten’.
Erase their personal data
if they ask,
but only if it doesn’t compromise
freedom of expression
or the ability to research.

Profiling

If you use profiling
to process applications
for legally-binding agreements like
loans you must:

  • Inform your customers;
  • Make sure you have a person, not a machine, checking the process
    if the application ends in a refusal;
  • Offer the applicant the right to contest the decision;
  • Ensure an appropriate legal basis to carry out such profiling.
Marketing

Give people the right
to opt out of direct marketing
that uses their data.

Safeguarding
sensitive
data

Use extra safeguards for information on health, race, sexual orientation, religion and political beliefs.

Children's data

Collecting data from children under 16?
Under the GDPR you must get parental consent. However, each EU Member State can lower this threshold to between 13 and 16 years of age, so check the age limit.

Data transfer
outside
the EU

Check availability of transfer tool like model contract clauses when there is no adequacy decision for the country of destination.

Do data protection by design

Build data protection safeguards into your products and services from the earliest stages of development.

Processing data for another company?

Make sure you have a watertight contract listing the responsibilities of each party.

Check if you need a data protection officer

This is not always obligatory. It depends on the type and amount of data you collect, whether processing is your main business and if you do it on a large scale.

  • You process personal data to target advertising through search engines based on people’s behaviour online. Yes
  • You send your clients an advert once a year to promote your local food business. No
  • You are a GP and collect data on your patients’ health. No
  • You process personal data on genetics and health for a hospital. Yes

Keep records

You should keep records of data processing containing:

  • Name and contact details of business
  • Reasons for data processing
  • Description of categories of data subjects and personal data
  • Categories of organisations receiving the data
  • Transfer of data to another country or organisation
  • Time limit for removal of data, if possible
  • Description of security measures used when processing, if possible

Anticipate with impact assessments

Impact assessments may be required for HIGH-RISK processing.

  • New technologies

  • Automatic,
    systematic processing
    and evaluation of
    personal
    information

  • Large-scale
    monitoring of a
    publicly accessible area (e.g. CCTV)

  • Large-scale
    processing of sensitive
    data like biometrics

The cost of
non-compliance

Your local Data Protection Authority monitors compliance; their work is coordinated at EU-level.

The cost of falling foul of the rules can be high.

Warning

Reprimand

Suspension
of data
processing

Fine

Up
to €20
million

or

4%
of global annual turnover

This document should not be considered as representative of the Commission's official position and does not replace the legislation.