Even though you work in a small business, you still need to know about data protection and security laws. These laws and regulations ensure that important business data and customer information remain accessible and protected from loss and theft. Breaking these regulations can mean loss of customer trust, lawsuits, and large fines, even if you didn’t know you were breaking the law in the first place. As such, it is very important that small business owners and workers that handle data understand which regulations their business falls under.
In this article, we will summarize several important data privacy laws that may apply to your business. Whether or not your business must follow these regulations will depend on your business’ location, the location of your clients and employees, and what industry you operate in. As such, before you begin to implement these regulations, you should identify whose and what type of personal data your business processes.
The data privacy laws and regulatory standards covered in this article include:
- PCI DSS
- SOC 2
- ISO 27001
What is General Data Protection Regulation (GDPR)?
The GDPR is a regulation concerned with data privacy that applies to the European Union (EU), European Economic Area (EEA) and any international businesses that process data containing personal information for EEA citizens. Basically, if any of your customers, employees, or business contacts reside within the EEA, then the GDPR applies to you, regardless of the size of your business. If your website saves personal data from visitors from EEA countries, then the GDPR also applies to you. Additionally, other countries have adopted laws similar to the GDPR, including Turkey, Mauritius, Chile, Japan, the United Kingdom, Brazil, South Korea, Argentina, and Kenya. So, if your business has customers in these countries, it is recommended that you follow the GDPR’s guidelines.
So, what does the GDPR require for businesses? The GDPR is a very long document, so we won’t get into all of the specifics in this article. Fortunately, the GDPR’s data protection and security provisions can be summarized by the seven protection and accountability principles, which are:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimization
- Storage limitation
- Integrity and confidentiality
Let’s go over each of these principles in further detail and discuss how they can be applied to small businesses.
1. Lawfulness, Fairness and Transparency
Data processing must be lawful, fair, and transparent to the data subject (the person you are collecting data from). This means that you must get specific, unambiguous consent before you process an individual’s data. You must let them know what specific data you are collecting and what you will do with it. Even if they consent to data collection, they can withdraw that consent at any time, at which point you must remove the personal data you have collected. Throughout this process, you must keep documentation proving that you have received permission to collect the data.
2. Purpose Limitation
The purpose of data collection must be made explicit to the data subject. If the purpose of your data collection changes, then you must let the data subject know and receive permission again.
3. Data Minimization
You should collect only the amount of data necessary to complete your purpose. If you collect or store any unnecessary data, then you may face legal consequences.
Personal data must be accurate and up-to-date. It is the business’ responsibility to ensure data accuracy and update information after any changes.
5. Storage Limitation
You can only store personally identifying data for as long as it takes you to complete your stated purpose. For example, if you require a data subject’s phone number in order to make one phone call, then you must delete that phone number from data storage once the call is complete.
6. Integrity and Confidentiality
When you process data, you must ensure that it remains secure and confidential. This means that you must encrypt data during transfer and store it in a secure location. Personal data should only be available to employees who need it. Additionally, you should have proper safeguards in place to ensure that nobody outside of your company can access your data. These safeguards may include requiring employees to use two-factor authentication, providing remote employees with a VPN, using risk management technology to automatically classify data, and hosting mandatory cybersecurity training.
The business and their data controller (the person who decides why and how personal data will be processed) must be able to demonstrate that they are GDPR compliant. It’s not enough to be GDPR compliant, you must have the proper documentation that demonstrates compliance. As such, you should maintain detailed documentation of all of the data you collect, how you use it, and where you store it.
To further check compliance, you can review a checklist with detailed instructions on how to maintain compliance, use software that audits your business and checks compliance (such as Vanta), or hire a lawyer well-versed in data privacy law to complete an audit.
For more information on the GDPR and how to ensure compliance with it, you can visit the EU’s complete guide to GDPR website .
US Data Privacy Laws
The US does not currently have a federal law like the GDPR, though three states have passed comprehensive data privacy laws similar to the GDPR. For four of these states (Virginia, Colorado, Utah, and Connecticut), these laws will not go into effect until 2023. If you conduct business with residents of one of those states, then you should read up on their details before the law goes into effect.
The only state-level comprehensive data protection law currently in effect in the US is the California Consumer Privacy Act (CCPA). The CCPA is very similar to the GDPR; however, it does not apply to all businesses like the GDPR does and may not apply to your small business. This law will only apply to your business if at least one of the following is true:
- Your business has an annual gross revenue of over $25 million
- You buy, sell, or receive the personal information of 50,000 or more consumers, regardless of whether or not all of these consumers reside in California
- Your business derives at least 50% of its revenue from selling personal information
If at least one of the above applies to your business, then you should learn what the CCPA entails. It grants consumers the right to:
- Know what personal information a business collects and how it intends to use that information
- Have collected personal information deleted on request
- Opt-out of the sale of their personal data to third parties
- Non-discrimination for exercising the above rights
Like with the GDPR, if you process personal data from residents of California, you should always keep detailed documentation about the data you collect and the purpose of the collection. You should follow the principles of the GDPR and practice transparency whenever you collect personal data. Regardless of where your business is located, you must follow the CCPA if you collect personal data from California residents.
Other US Regulations
In addition to the above laws, both the federal government and state governments have privacy regulations specific to different industries, such as HIPAA and FERPA. The laws do not cover all forms of data processing for residents and only mandate protections for certain kinds of data and communication. It is your responsibility to ensure that you are compliant with all local laws and regulations for your industry.
Voluntary Data Privacy Regulations
In addition to the laws stated above, there are voluntary compliance standards that businesses who work with customer data should consider adopting. Though you won’t face any legal penalties for not complying with these standards, you may lose customers who are in-the-know about data privacy. In particular, B2B companies should follow these compliance standards as other businesses will expect adherence to proper data protection protocol.
Compliance standards that may apply to your business include:
- PCI DSS, which regulates how businesses collect and store credit card data
- SOC 2, an auditing procedure for SaaS companies that ensures that data is private, secure, confidential, available, and processed with integrity
- ISO 27001, an internationally recognized certifiable information security standard that ensures the confidentiality, integrity, and availability of all corporate data
To receive certification for the above standards, you must go through an auditing process with an accredited certification body to assess compliance. Once you have received certification, you can advertise your certification on your company materials and ensure customers that their data is secure and protected.
Get Started with Data Protection
Clearly, data protection is a complex business. Even for small companies, various data protection laws and regulation standards should be followed in order to protect customer data. Juggling all of these requirements is too much for one person. That’s why you should consider investing in software that can automate the compliance process. Check out our lists of risk management software, remote data protection systems, and continuous data protection solutions to compare the best options for data auditing and security compliance.