The document discusses why GDPR compliance is important for small businesses. It explains that GDPR applies to any organization that processes personal data of EU citizens, regardless of size or location. GDPR aims to give citizens control over their personal data and prevent misuse. For small businesses, GDPR compliance means appointing a data protection officer, reporting data breaches within 72 hours, and giving individuals rights over their data. Non-compliance can result in fines of up to 20 million euros. While small businesses have some exemptions, following GDPR principles is recommended to build customer trust.

1. Why Is GDPR Essential
For Small Businesses?
© VISTA InfoSec ®
Having said that, here is a look at GDPR’s most important principles and their implica ons on your small-
scale business. This informa on will give you clarity on whether your business is exempted or not and its
inferences.
With the EU’s General Data Protec on Regula on now in place, UK is witnessing stringent regula ons
with tougher fines implemented, across all industries. GDPR is a compliance regula on that came into
effect on the 25 May 2018. Therea er within 6-8months down the meline, only 30% of the EU based
business became GDPR compliant. Despite being aware of the law and its implica ons, majority of the
business s ll remains to be non-compliant. While most might think GDPR doesn’t apply to them if they
are a small firm or a US-based firm, this isn’t necessarily the case. If people located in the EU can access
yourwebsite,GDPRappliestoyou,irrespec veofyourcompanysizeorloca on.
What is GDPR?
It is important for business owners to bear in mind that, GDPR applies to any business established in the
EU and may also be applicable to companies based outside of the EU who process personal data of EU
ci zensinanyway.
Ÿ Unifyregula onthatstandsacrosstheEuropeanUnion.
Ÿ Protectanindividual’sprivacy.
The European General Data Protec on Regula on (GDPR) is a compliance regula on and a data
protec onlawbuiltto–
Ÿ Givetheci zensandresidentsmorecontrolovertheirpersonaldata.
Ÿ Preventmisuseofpersonaldata.
Understanding GDPR Compliance
Ÿ Businesses who are involved in ‘regular or systema c’ processing of personal data, or involved in
processinglargevolumesof‘specialcategorydata’mustabidetotheGDPRCompliance.
Ÿ GDPR Compliance is applicable to any business that processes personal data of EU ci zens, including
those companies having less than 250 employees and those companies who are based outside of the
EU,whoprocesspersonaldataofEUci zensinanyway.
Ÿ BusinessesorcompanyownerswhofallunderthiscategoryareexpectedtoappointaDataProtec on
Officer (DPO) who shall ensure the company complies to the rules and regula ons as stated under
GDPR.

2. © VISTA InfoSec ®
Ÿ In case of a breach of confiden al data, the incident must be reported to the regulator (Informa on
Commissioner’sOffice)within24hoursoratleastwithin72hourswithareportincludinginforma on
regardingwhatledtothebreach,howitisbeingcontainedandtheirnextplanofac on
Ÿ As per the GDPR regula on, an individual has all the right to know how businesses use their data. The
individual also holds the ‘right to be forgo en’ if they no longer want the company to process their
personaldataandthecompanywillinthisregardhavenolegalgroundstokeepthedata.
Ÿ Failure to comply with the GDPR regula on will result in levying of harsh penal es. The penal es
leviedcouldbeupto€20million,orfourpercentofannualturnover,whicheverishigher
What constitutes a Special Category Data
under Article 9?
“SpecialCategoryData”coveredintheAr cle9ofGDPRincludesanyPersonalDatarela ngto-
As per the GDPR regula on “Special Category Data” is a personal data that is more sensi ve and could
put an individual at risk of unlawful discrimina on if misused or disclosed without authoriza on. When
processing the Special Category Data, businesses require to abide to the explicit legal rules in terms of
obtaining explicit consent from the subject. Explicit consent may be through a signed form with a higher
standardofconsent.
Ÿ Race
Ÿ Ethnicorigin
Ÿ Religion,
Ÿ Tradeunionmembership,
Ÿ Gene cs,
Ÿ Biometrics(whereusedforIDpurposes),
Ÿ Health,
Ÿ Sexualorienta on.
Ÿ Poli calaffilia on,
Data rela ng to criminal offense also comes under the Special Category Data, wherein businesses can
only keep a “comprehensive register of criminal convic ons” if they have legi mate grounds for the
sameandhaveGDPRcompliantprotec onsinplace.
Penalties for Non-Compliance for GDPR
Ÿ It has been clearly stated that non-compliance with GDPR will cost businesses a fine of up to €20
million or 4% of their global turnover, whichever is higher. However, these fines will only be applied in
extreme circumstances. Although EU authori es will be able to impose fines on a discre onary basis,
they can use other “correc ve powers and sanc ons” to encourage businesses to enhance GDPR
compliance.
Ÿ The Other “correc ve powers and sanc ons” include issuing a warning, imposing a ban on data
processing, ordering the rec fica on or dele on of data, and suspending data transfers to non-EU
countries.

3. Is GDPR regulation applicable to small business
and sole traders
© VISTA InfoSec ®
Ÿ Any non-compliant ac on or lack of ac on can result in a penalty. For this very reason, small
businesses need to be aware of the GDPR requirements, especially focusing on the “Special Category
Data”coveredinAr cle9ofGDPR.
Ÿ Stringent penal es will be imposed in case the company fails to comply with data collec on rules for
children, processing or sharing data without obtaining consent, and for maintaining data longer than
itslegalpurpose.
Ÿ Doesnotaffectanindividuals’rightandfreedom.
Ÿ DatadoesnotfallundertheGDPRAr cle9.
To set the record straight and clear, GDPR applies to any or every business that deals with collec on, or
processingofpersonaldataofpeoplefromtheEU.Thisholdstruewhetheryouareaone-manopera on
business or a business having offices across con nents. Having said that, one may not have to keep a
wri en record of their data processing ac vi es if they have less than 250 employees, and unless their
dataprocessingac vi es
Ÿ ThepersonaldatadoesnotfallundertheAr cle10rela ngtocriminaloffencesandconvic ons.
Ÿ Thepersonaldataprocessingac vi esareconductedonaregularbasis.
But by all means it is good to keep the records clear, even if one thinks they are exempt. A erall, it is
be ertobesafethansorry.
Implications of GDPR on small businesses
Ÿ It is important to note that if a company falls under one of the exemp ons, but deals with a larger
company that conducts large-scale processing, then in that case, you may be subject to the stringent
GDPR’sRegula on.
Ÿ A er all, it is much easier to follow the GDPR Regula on, than spend me figuring out how you can
avoidComplyingtothestandards.
Ÿ That apart, you would s ll want to ensure that your business is Compliant to the GDPR principles, for
yourbusinessfallsundertheGDPRCompliancecategoryforregularprocessingofpersonaldata.
Ÿ Being a small business does not mean you are exempted from the GDPR Compliance. However, such
businesses shall be recognized as businesses having fewer resources and pose less risk to data
protec on. In that case the business may see some leniency by the ICO in rela on to penalty in non-
compliance.
Our expert view on GDPR Regulation on small
businesses
It is very important for businesses to understand the spirit of GDPR. The legisla on came into existence,
having seen the way how personal data were misused. Most o en companies treated personal data as a
resource they could use without due regards to the rights of individual. Further, keeping aside the law,
responsible data handling is a good business prac ces. As a business owner, you are responsible for your
customersprivacyandanykindofdatabreachcouldpossiblycrushyourcustomerstrustonyou.

4. Summary
Do write to us your feedback, comments and queries or, if you have any requirements:
info@vistainfosec.com
You can reach us on:
USA
+1-415-513 5261
INDIA
+91 73045 57744
SINGAPORE
+65-3129-0397
© VISTA InfoSec ®
As an experienced professional of the industry, I believe GDPR shouldn’t be seen as a burden, but rather
be seen as adding value to your business. By proving your poten al and exis ng customers an assurance
that your organisa on is compliant with new law, you could win them into bringing in more business.
A er all, no one likes their data being lost, stolen, misused, or shared without proper consent. By being
compliant and doing everything you can to protect your customers personal details, can help build a
sense of trust which is also good for your business. I see it as a value addi on to your business wherein
the company is making an effort to protect client’s data and respects personal data, rather than le ng it
beusedwithoutanyconsent.
There are no two ways about it when it comes to the GDPR compliance for small businesses. While it
affectseverycompanyintheworld,beitsmall,mediumorlarge-scalecompanies,theGDPRregula onis
definitely seen as a posi ve step towards data protec on. GDPR compliance has a posi ve impact on
small businesses. Businesses have now taken their customers’ privacy more seriously. With this in place,
businesses have seen more loyalty and increased trust from consumers. So, clearly, GDPR is now seen
more than just as a bunch of rules to be followed to avoid penal es. By taking necessary measures to
achieve GDPR Compliance, one can definitely posi on their business as one that truly cares for their
customersandtheirprivatedata.
facebook.com/vistainfosec/ in.linkedin.com/company/vistainfosec twitter.com/VISTAINFOSEC