GDPR for small businesses

GDPR For Small Business

In May 2018, the General Data Protection Regulation (GDPR) went into effect, strengthening the rights of EU residents regarding data privacy and protection. Essentially, these rights comprise two things:

  • Besides transparency, organizations must provide individuals with the ability to review, amend, or challenge the processing of their personal information.
  • To protect individual data, organizations should implement security measures and manage the liability for any breach or misuse of this information.

This article will discuss how GDPR may applyies to small businesses and some of the essential tasks these businesses need to determine whether the data privacy of their clients is being protected and whether they are GDPR compliant.

GDPR and Small Businesses

Small Businesses with 250-500 Employees

A small company is generally considered as one with fewer than 500 employees in the United States. It is a requirement under GDPR for companies to keep a record of all data processing operations, if they meet certain thresholds. If subject to GDPR, the GDPR’s record-keeping requirements apply to every business with 250-500 employees.

Whether a Data Protection Officer (DPO) is needed is not determined by the business’ size but by the scale and sensitivity of its core processing operations. DPOs are knowledgeable about data protection legislation and processes. A person in this position is also responsible for notifying the authorities of any data breaches.

Small Businesses with Fewer Than 250 Employees

Generally speaking, Article 30 of the GDPR exempts small businesses with less than 250 workers from the need to maintain records of their processing operations, whether as a controller or processor. The size exemption does not apply, however, if the businesses are processing data in any of the following activities:

  • The data processing operations may jeopardize an individual’s rights and freedoms.
  • The information to be processed may involve an individual’s racial origin; political, religious, or philosophical opinions; union membership; genetic or biometric data; or the individual’s health or sexuality.
  • The personal data involved are related to criminal offender, conviction, or arrest-related.
  • The personal data is processed regularly.

As long as these minor requirements are met, small businesses should consider themselves equivalent to larger firms under GDPR for Article 30 compliance requirements.

Small businesses are generally understood to have fewer resources than large corporations. Thus, the Information Commissioner Office (ICO) will consider any smaller company’s challenges in complying with the new legislation. 

GDPR Compliance of Small Businesses

In most instances, your personal data, client information, and company connections will all have this kind of information in some manner. Therefore, let us examine the GDPR’s fundamental principles and how you will be required to comply with them.



Prepare to add more check-the-boxes to your systems since enhanced consent demands getting permission for each use of a customer’s data. Suppose your business requests an email address and permission to deliver purchase information. In that case, it might need permission once more before utilizing that email for marketing reasons. Businesses should phrase all permission requests in a manner that is understandable to the company’s targeted customers.

Access and Control

Data owners should be given control over their information, including the right to delete, receive and reuse their data. It also includes the ability to move, copy, or transfer their data securely. As a business owner, you may need to provide a system for customers to control the use of their personal data, from data entry to data deletion.

Data Breach Reporting

Businesses may have to notify data owners if a security breach occurs. While this may conjure up visions of large-scale attacks, it also encompasses minor errors such as granting access to your data to a contractor or an employee losing a laptop. No matter how minor the breach is, the business might have to inform the data owner about it if it poses risks to the data owner.


After the data is provided, you’ll need security measures in place to preserve it. Merely said, you should see that data is appropriately protected. Thus, it would be best if you consider encrypting any database that holds your clients’ data rather than simply password protecting it.


You may need to provide proper surveillance to third-party applications and organizations that are involved in the data processing. When using online newsletter services, the use of mailing lists should be in GDPR compliance. 

Additional GDPR Compliance

The following factors may help illustrate the most critical actions that US small businesses will need to do to be GDPR compliant:

Audit the Data

Proper auditing of data for GDPR compliance is not a simple undertaking. Thus, businesses must make wise decisions. They may be required to do Data Protection Impact Assessments (DPIAs) before initiating any data processing. It proactively protects data and assesses potential risks to data subjects associated with any new data processing. Most European data protection authorities provide guidelines on their websites on DPIAs and when they should be conducted.

Audit the Service Providers

Auditing your service provider’s compliance is a chore that many US businesses struggle with and may be the source of your business’s most significant risk. Businesses need to evaluate and execute data processing agreements with third-party service providers that handle personal data on your behalf. GDPR requires the data controller to enter contracts, and the data processor may only act on the controller’s orders. A service provider that does not comply with GDPR may be subject to non-compliance and put the controller at risk.

What Happens To Non-Compliant Small Businesses?

Investing the effort to design a GDPR-compliant privacy policy may significantly assist small businesses in showing compliance. Those who have not done so may be deemed non-compliant. They may face reprimands, temporary or permanent data processing limits, data restriction or deletion orders, and suspension of data transfer to third countries from supervisory authorities.

Article 83 of the GDPR alerts enterprises to infractions and imposes discretionary fines. It incentivizes enterprises to handle personal data legally and responsibly. 

GDPR Compliance is Important for Small Businesses

GDPR compliance is crucial for both small and large businesses. Many businesses have hired a Data Protection Officer (DPO) to monitor GDPR compliance. 

Inadequate comprehension is a poor excuse for GDPR non-compliance. Whether it is a sole proprietor or a global corporation, businesses should review how they handle personal data and verify that suitable processes and policies are in place. Systems for granting data access requests and systems for detecting and reporting data breaches may need to be in place. Businesses should also implement appropriate technical and organizational protections to oversee the safety and security of data.

To comply with the GDPR requirements, your business must work with experts in data privacy and protection. Contact Metaverse Law today and learn more.

Business Affected By GPDR?

GDPR and Its Impact on Business – Find Out Here!

Over the years, the internet has changed the way we communicate and how we handle day-to-day tasks. There are so many things that we can do via the internet, from sharing documents to paying our bills. All of these are convenient, but these tasks require us to enter personal details.

With so much information that we share online, how can you guarantee that your information will be kept safe? Have you ever wondered what happened to the information you share online, like your bank details, addresses, contacts, etc.

Companies say that they collect this information to serve you better to provide you with more targeted and relevant communication. In turn, you get better customer experience in the end.

The question is, what do they do with that data?

That’s where the GDPR comes in.

The General Data Protection Regulation (GDPR) took effect on May 25, 2018 and many companies have taken steps to comply with it; otherwise, they could face fines and other consequences. But what is GDPR and what are the companies that are strongly affected by this change? 

GDPR Compliance: What is it? 

GDPR is the set of rules designed for EU individuals that allow them to have more control over their data. The main goal of this regulation is to make the digital environment simple so that businesses and their customers in the EU can benefit from a digital economy, yet still protect individual privacy. 

The GDPR applies to all companies that sell to the EU, store personal information about EU residents, including EU B2B personal information collected from companies on other continents. 

Which Companies are Affected by GPDR?

As mentioned, companies that sell to the EU, store personal information about EU residents, and have customers in the EU are affected by this.

In addition, GDPR applies to all companies established in the EU, regardless of where their data processing takes place. In fact, even non-EU established companies will be subject to GDPR, as long as the business offers goods and/or services to EU citizens. Therefore, this puts consumers from the EU in the driver’s seat, and businesses must comply with the regulation.

Here are some of the industries that are most hit by GDPR: 

Social Media

Ever since GDPR took effect, social media users have noticed changes in the privacy policies of social platforms they frequent, and they were notified of these changes via email. The reason behind these changes is the GDPR and other privacy laws. 

Companies in the social media marketing industry are one of the most affected by this new regulation. Therefore, social media marketers must disclose and ensure that users know how their data are being used

In addition to that, they need to request full consent from users to use their data outside of what is strictly necessary to provide the social media information society services. 

There are also other strict rules that GDPR expects social media companies to do, such as: 

  • Users have the right to be forgotten, which means that users now have the right to delete all their data. 
  • Companies that collect information directly from users must inform users within 72 hours after a data or security breach is detected. 
  • Plain language must be used in all privacy policies and explanations regarding users’ data. 

Despite this drastic change in the social media industry, users can highly benefit from this shift in data privacy rights. 

Online Retail

GDPR has become a challenge for online retail companies as it urges them to make changes that make many brands rethink their strategies. Due to GDPR restrictions, like limitations with the use of third-party information, or limitations on sharing of user information to third parties, it has become a challenge for online retailers to thrive. 

However, these changes have its advantages as well because it puts online retailers on better standing with consumers. This will help them build a more trustworthy relationship with consumers today, which is crucial in today’s digital environment. 

Digital Banking

Undeniably, the effects of GDPR to financial services are significant. GDPR has made the privacy of users their primary concern. The main principle of GPDR is “incorporating privacy and data protection” considerations into all sectors that use personal information, which is critical for the digital banking industry

Your Business Affected By GPDR

Although GPDR encourages best practice and data compliance, it comes with a side effect. Digital bank owners see the new regulation as costly and can affect their projects further. Therefore, many have their reservations that lead to them to be hesitant to invest because they fear they would get it all wrong. 

However, there are many benefits when digital banks comply with data privacy law. For one, it will provide them with more opportunities for innovation and investment because it’s more than regulatory compliances. In fact, it’s a profitable strategy in which bank owners can make bolder decisions and enter new territories due to the integration of data protection into core development strategies. 

Secondly, GPDR compliance allows digital bank owners to more ethically handle data—a huge advantage in the industry. 

Finally, GPDR provides digital defense by considering internal and vendor security, and reinforcing good data handling processes that banks can follow should there be a security breach. 

Cloud Computing

Cloud computing companies are also affected by GPDR, due to the sensitivity of customers’ information in the cloud. Since cloud service providers host various types of data, they often deal with sensitive and classified information, which could fall under the wrong hands.

Another challenge is the externalization of privacy because businesses that get a cloud service expect privacy agreements and commitments that they shared with their customers and staff will still work. However, if the cloud service provider operates in various locations, the rights of data owners may be subject to different regulations and requirements. Therefore, it’s advisable to have a customized agreement with a cloud computing company when it comes to privacy commitments. 

In a Nutshell

It’s been years since GPDR came into effect. Today, it still remains as a rigorous compliance process. However, GPDR has brought many opportunities that can improve strategies and deliver more innovation in the market. 

Even if you’re not in any of the industries listed above, as long as you operate a business that sells products online to EU individuals, you need to consider GPDR -compliance; otherwise, you could risk facing hefty fines or lose customers.

So, if you’re unsure whether your company is GPDR compliant, contact someone with GDPR experience to assess your GDPR compliance.

GDPR for US Citizens

Does GDPR Apply to US Citizens?

The General Data Protection Regulation (GDPR) is the most detailed data privacy legislation that Europe has ever passed. It took effect on May 25, 2018, and flipped the digital landscape.

In this legislation, all individuals and institutions in Europe are bound to GDPR compliance in protecting the personal information of its clients. The European Union created this regulation to ensure that the personal privacy rights of European citizens are protected at the EU level GDPR requirements create a uniform system of rules for data processing activities.

This article will further discuss the scopes and limitations of GDPR as it is applied to the US and its citizens.

United States (US) Inclusion to GDPR

While it is based on European Union (EU) legislation, this ground-breaking data security and privacy regulation extends significantly beyond the EU’s and the European Economic Area’s geographical borders (EEA). In some areas, it encompasses the United States of America, the EU’s second largest trade partner.

The GDPR’s entire purpose is to safeguard the personal data of EU citizens and residents. As a result, the legislation extends to entities that manage certain data regardless of whether they are in the EU, a concept recognized as an “extra-territorial effect.”

As specified in Article 3 of the GDPR, the law’s geographical reach is not limited to businesses in the EU/EEA. The legislation extends the GDPR’s processing rules to businesses based outside of the EU/EEA if the following two requirements are met:

  • Provides goods or services to EU/EEA citizens (even in the absence of commercial transactions); or
  • Controls or tracks the activities of consumers inside the EU/EEA.

Therefore, organizations in the USA and other countries worldwide are covered under this regulation as long as they meet one of the above-mentioned conditions.

If a US business is required to comply with the GDPR requirements, it has the same stringent conditions as businesses based in the EU.

The GDPR regulates personal data processing activities in a variety of ways. Personal data can include identities, contact numbers, computer details (e.g., IP addresses, position data), biometric data, images, and videos.

US Citizens Inclusion to GDPR

Does GDPR apply to US citizens? It’s perplexing to think about what occurs when Americans enter a country in the European Union considering the EU’s General Data Protection Regulation (GDPR). Does this legislation cover them?

Since the GDPR is a European Union law, it is easy to think that it just refers to all citizens of the Union. That is not entirely the case. Citizenship has little bearing on the GDPR’s geographical scope, and the GDPR never uses the terms “citizens” or “residents.” Instead, the GDPR simply refers to data subjects “in the Union,” with data subjects defined as “an identified or identifiable natural person.”

 GDPR Apply to Us Citizens

GDPR is not expressly concerned with an individual’s status as an EU resident. GDPR protects someone who lives in or visits an EU region. If an American travels to France, make a transaction in a shop, and are asked to include their name and address on an invoice, the shop must protect their information per GDPR requirements. They must be granted the same GDPR privileges and freedoms as all EU residents.

Individuals are granted certain privileges and liberties under the GDPR. The legislation imposes some restrictions on how businesses can use the personal details. It makes no difference where the business is located or has an office in any EU country. The regulations of GDPR exist whether a company collects or handles the personal data in the Union.

There is currently no law in the United States that protects the privacy of all citizens, only select categories of people, or industries. The Health Insurance Portability and Accountability Act (HIPAA), for example, establishes security measures to safeguard the privacy of patients and health plan members. It is applicable only with confidential health information gathered, processed, used, or transmitted by a HIPAA-covered body.

GDPR compliance will be easier for HIPAA-covered organizations if they apply the same standards in protecting all concerned individuals and their records. Adopting a more holistic approach to data security is more important to meet the GDPR requirements.

Relationship Between Location and Citizenship

The GDPR is location-based, not citizenship-based. The distinction between citizenship and place exists when we discuss non-EU people residing in the EU versus EU citizens residing beyond the EU, or when the good or service is provided inside or outside the boundaries of the EU.

Recital 14 of the GDPR notes that “This Regulation shall extend to all natural persons, regardless of their ethnicity or place of residence, concerning the collection of their personal details.” Below are example scenarios where GDPR can be applied:

Scenario 1:

A US citizen is on holiday in Germany. He places an online order for dinner from a Berlin restaurant and delivers it to the hotel where he is staying.

The GDPR legislation applies to this scenario since the ‘data subject’ (US citizen) is in an EU country and is supplying personal data for a good or service in the EU. The citizenry of the data subject is not significant.

Scenario 2:

A US citizen residing in Spain visits the website of a US clothing retailer and places an order for a dress, specifying her EU delivery address. The US clothing retailer advertises that it sells to Spain and offers the dress for sale in Euros.

The GDPR applies since the (i) data subject is currently residing in the EU, (ii) orders using an EU address  and (iii) the US clothing retailer offers its goods to individuals in the EU. In this scenario, both the citizenship of the data subject and the store’s location are not significant.


GDPR plays an important role because it strengthens the security of European data subjects’ rights and clarifies the obligations of businesses who handle personal data to respect these rights.

The GDPR requirements center on the data processing activities, not citizenship, it includes personal data and information gathered from any EU country and includes either an EU or non-EU resident who is living or visiting an EU.

Any US business or company serving customers in the EU/EEA — or tracks their behaviour within this region — should consider GDPR compliance. The legislation protects US citizens who use their information abroad in the EU.

GDPR compliance comes with strict measures to penalize non-compliant businesses and organization if they fail to meet the GDPR requirements. giving this legislation a fang to regulate and protect EU data privacy values against violators.

Group of stars around the text GDPR

Data Privacy Matters

How Will GDPR Affect Business Marketing Approaches in The Digital Age

The General Data Protection Regulation (GDPR) has approaches that impact today’s marketing strategies. With the increasing interplay between internal and external regulation and increasingly intrusive practices by law enforcement authorities, digital marketing’s future may involve significant changes. At the same time, the European Union (EU) is making efforts to strengthen its regulatory regime and pass several laws to improve its relationship with the US. It is essential to consider the potential social, political, and legal impact of GDPR on your business. Furthermore, certain restrictions dictate the way companies can conduct their business online. Given all this, it is clear that if you want to continue to enjoy the benefits of doing business online within the EU, you need to be fully aware of the implications of GDPR and how it impacts your marketing techniques.

What is GDPR? 

The GDPR is a set of rules developed by the European Commission to enable citizens to have more control over personal data. Several reforms are created to prepare regulations, laws, and obligations of data privacy and consent involving individuals, businesses, and entities. Some of these regulations cover consumer credit, advertising, information protection, payment data transfer and schemes, and more. 

This framework sets out general guidelines for ensuring the protection of personal information. In particular, GDPR protects against the unnecessary, unethical, and illegal use of personal data. However, it is essential to note that GDPR addresses different aspects of the whole regulatory framework, which means that every reform is examined separately for its relevance and applicability.

Regulation on personal information processing is vital to the reforms related to the GDPR’s subject matter. It sets out the rules and procedures that ensure personal information processing occurs within the Commission’s data protection frameworks.

This regulation aims to protect individuals from unfair and unwarranted discrimination when taking up jobs, accessing services, performing online transactions, and other related digital activities. It covers the unwarranted use of collected data for criminal prosecution and employee protection from unfair dismissal and other workers’ compensation claims.The security requirements defend corporate clients and enterprises from data protection risks and ensure that their companies comply with the principles laid down in the GDPR. All these aims are governed through the various bodies that constitute the Commission’s regulatory bodies and state data protection agencies.

What is GDPR compliance? 

GDPR compliance involves ensuring the legal process of data collection, processing, and maintenance.

All entities under the GDPR scope, digital-based or not, will have to comply with this particular regulation. It requires companies to take necessary measures and create protocols to protect the personal data of the organization, employees, and clients involved for their legitimate purposes, or other lawful bases, in line with the EU data protection regulation and directives. 

Several regulations are addressed in the GDPR. You need to keep in mind that all organizations and their processors and controllers are obliged to ensure they do not breach any of the provisions within the regulation and prepare measures that they can take to protect their users.


Under Article 4, section 7 of the General Data Protection Regulation,” ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.”


Under Article 4, section 8 of the General Data Protection Regulation,” ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.”

How Will GDPR Affect Business Marketing

The main aim of GDPR is to ensure that unauthorized third parties cannot misuse all personal information kept by company processors and controllers. For instance, organizations must ensure that they inform their clients about the procedures they follow to process their data, the additional risks they face if they fail to comply with the regulations, and how they can benefit from it. The regulation also addresses how companies and controllers can implement suitable systems to handle their clients’ data according to the different regulations. With all these in mind, it’s clear that understanding the GDPR compliance requirements is vital for those within the scope to stay in business.

Who does GDPR apply to?

The EU General Data Protection Regulation (GDPR) has implications for many organizations, particularly those controlling or processing personal information in the European Union or EU data subjects.

The compliance scope includes regulations in data processing for direct marketing purposes by the companies’ advertising agencies through telemarketing and other means and using data to generate ad campaigns. 

Application of the GDPR to Organizations

The GDPR will apply to the personal data processing by organizations established in the EU, regardless of where the data processing transpires. It will also apply to the personal data processing by organizations that control or process data in connection with (1) offering goods or services (with or without charge) to, or (2) monitoring individuals in the EU.

Data Consent According to the GDPR

Under the GDPR, controllers or processors can process personal data in specific limited, designated circumstances with consent. There are particular requirements of valid consent provided by the GDPR:

  • Children under 16 will require parental guidance and permission in giving consent.
  • Consent must be a voluntarily given, specific, informed, and unambiguous indication through a statement or clear confirmation. 
  • Consent must be just as easy to withdraw and to provide. 

How GDPR Affects Marketing

GDPR Affect Business Marketing Approaches in The Digital Age

Many businesses are scrambling to prepare and implement effective marketing strategies to comply with the GDPR. In our internet-connected age, most of them require digital marketing efforts while also needing to maintain identity, privacy, and reputation protection. Therefore many companies have already begun to prepare their plan to ensure they comply.

Marketing significantly involves data collection. Without data gathering and collection practices, marketers can’t do much work achieving advertising goals. 

For marketing strategies to work under the compliance of the GDPR, organizations need to follow six elements for data processing, such as the following:

  1. Rights of Individuals
  2. Right to be Informed
  3. Right to Erasure (“Right to be Forgotten”)
  4. Data Protection Officer (DPO)
  5. Obligations on data processor / processors
  6. Data Protection Impact Assessment

To all ends, you need to seek consent for all data you need to collect from audiences or individuals, or find another legal basis for processing, and provide necessary information on how you intend to use such data for your marketing purposes. Unsolicited data and communications are strictly against the GDPR when applied to the marketing landscape, unless you can show that you fall within an exception.

Learn more about the General Data Protection Regulation (GDPR) applications for your business marketing approaches. Metaverse Law focuses exclusively on privacy, data protection, and cybersecurity law with practical solutions for today’s online businesses, including GDPR compliance. Visit us here to inquire about our services!

European Union flag.

EU-US Data Transfers After Schrems II: European Commission Publishes New Draft Standard Contractual Clauses

Image Credit: GregMontani from Pixabay.

**Update: On June 4, 2021, the European Commission formally adopted the new standard contractual clauses (“SCCs”) for international personal data transfers. Businesses will have a grace period of 18 months from the effective date of the European Commission’s decision to update all existing SCCs for transfers outside the European Union with the new SCCs.

In the meantime, businesses will be allowed to keep using the old SCCs for “new” data transfers over a transition period of three months from the effective date of the European Commission’s decision — giving organizations the chance to make any changes necessary for compliance with the new SCCs before incorporating them into their contracts. Such contracts, however, will also need to be updated within the 18-month-grace period.

On November 12, 2020, roughly four months after the European Court of Justice’s “Schrems II” decision which invalidated the EU-US Privacy Shield, the EU Commission released a draft set of new Standard Contractual Clauses (“SCCs” or “model clauses”).

These updated SCCs allow transfers of personal data from the EU to third countries, as well as a transfers by controllers when engaging processors located inside the EU. (For a further analysis of the Schrems II judgment, and the motivation for these new clauses, see our prior blog post).

Who can use the new SCCs?

The Commission’s draft, which includes the new SCCSs in its Annex, covers two new types of international transfers and contains important updates in order to bring the text of the model clauses in line with the General Data Protection Regulation (“GDPR”).

The current SCCs, approved by the Commission in 2001 and 2010, only addressed two data flow scenarios:

  • An EU-based controller exporting data outside of the EU to other controllers (controller-controller SCCs)
  • An EU-based controller exporting data outside of the EU to processors (processor- processor SCCs).

In this new draft, the Commission addressed a gap which frequently occurred in practice: EU processors exporting data to controllers and processors outside of the EU. This addition further reflects the expanded territorial scope of the GDPR.

Continue Reading EU-US Data Transfers After Schrems II: European Commission Publishes New Draft Standard Contractual Clauses
1 2 3