Web and BeyondCast

Web and BeyondCast


011 GDPR for Small Business

October 10, 2018

Welcome to Season 1, Episode 011, of Web and BeyondCast, "GDPR for Small Business."

(If you’re reading this in a podcast directory/app, please visit http://webandbeyondcast.com/011 for clickable links and the full show notes and transcript of this cast.)

According to Verizon’s 2018 Data Breach Investigations Report, “58% of malware attack victims are categorized as small businesses.” And, in the 2017 Cybercrime Report by Cybersecurity Ventures, they note that “cybercrime damages will cost the world $6 trillion annually by 2021.”

It’s with this general risk in mind that the European Union started the process of updating its already-existing Data Protection Directive from 1995, and enacted the General Data Protection Regulation. Or, as some of you might have heard it as its acronym, GDPR. I’ll call it GDPR for the rest of this episode.

I’ve gotten many questions about this topic, so in today’s episode, I’m going to do a deep-dive into:

What is GDPR? Who Does GDPR Apply to?
What Are the Key Provisions of GDPR for Small Business?
What Actions Should You Take To Be and Stay GDPR-Compliant?

Disclaimer: None of this should be taken as legal advice. I’m trying to give an explanation of a highly complex, evolving extraterritorial law, and additional laws, and if you have specific questions about your situation and the laws that impact your business, you should seek licensed legal counsel in your jurisdiction.

If you'd like to discuss this episode, please click here to leave a comment down below (this jumps you to the bottom of the post), or feel free to contact me here about any other questions or comments.
In this Cast | GDPR for Small Business
Ray Sidney-Smith, Host
Show Notes | GDPR for Small Business
Resources we mention, including links to them will be provided here. Please listen to the episode for context.

Key Terminology:

Subject - a living, natural person (so corporate/business entities, governments or anything other than a living human being don’t count under GDPR)

Personal Data - any data that can identify a subject directly or indirectly, so some common forms of Personal Data are a living person’s name, address, phone number, date of birth, and tax identification number. But, it encompasses any data that fits this category. Anonymous data does not apply.

Personal Sensitive Data, or Sensitive Personal Data - a class of Personal Data, that should be subjected to a higher level of protection, includes “data consisting of racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person's sex life or sexual orientation.”

Data Controller - a person or entity “which...determines the purposes and means of the processing of personal data”

Data Processor - a person or entity which processes personal data on behalf of a Data Controller

Key Provisions:

Data security versus Data Privacy - chain link fence versus a 10’ solid brick wall.

GDPR applies to customers and employees of your business.

* Right to Consent ...for the data you collect about your customers and employees. This includes access to that data.
* Right of Access ...to the data about you.
* Right to Portability ...