Understanding GDPR: history, protection, and small businesses

The EU’s GDPR is explained in a complex, several-hundred-page document. It’s not likely you have the time to read all of it, but its contents are important for people living in the EU.

GDPR affects how you operate as a small-business owner, as well as any organization worldwide trading products or services with people in the EU. There are regional specificities for each EU state, meaning it is critical to understand how GDPR works in your particular country.

In this blog, we’ll break down the most important points contained in the long GDPR document. We’ll go over what it is, the history, and the recent essential changes you need to know about.

GDPR stands for General Data Protection Regulation and is currently the strictest privacy and security law on earth.

By putting restrictions on organizations anywhere in the world that collect or use data on people in the EU, the GDPR aims to protect citizens against those who violate its privacy and security standards.

As more businesses and people conduct personal and professional activities online, these regulations become increasingly crucial, and must be tightened and reformed with each passing year. This is a challenging prospect for those responsible for upholding GDPR, but it remains of utmost importance to their mission.

Understanding GDPR is all about understanding the right to privacy. Getting a full grasp on it means going back to 1950, when the European Convention on Human Rights stated: “Everyone has the right to respect for his private and family life, his home and his correspondence”. On this basis, the EU has sought to protect its citizens' right to privacy.

The progression of technology meant that the EU needed to update its regulations. Here’s a brief timeline of the dates on which GDPR was forced to progress to its current state.

1950: The European Convention on Human Rights establishes that everyone has a right to privacy for themselves and their families.

1995: After the first banner ad appears online in 1994, the EU passes the European Data Protection Directive. This establishes minimal data privacy and security standards, with each member state allowed to set its own rules.

2000: Major financial institutions begin offering online banking, making protection of financial data a crucial consideration.

2006: Facebook opens to the public, resulting in the proliferation of sensitive, online personal information of a large chunk of people around the world.

2011: The United States vs. Google LLC sees the first instance of a data breach against a major online company. Following this, the body responsible for data protection in the EU demands a more comprehensive approach to personal data protection. This results in work beginning on an update to the 1995 directive.

2016: GDPR is passed by the European Parliament.

2018: From May 25, all organizations are expected to be compliant with GDPR laws.

Violating GDPR laws can be very costly. Fines apply to business sizes ranging from micro-enterprises to multinational corporations, with amounts scaled to match the revenue of the business and severity of the violations.

GDPR splits infringements into two tiers:

Less severe infringements

These are infringements of the articles governing data controllers and data processors, accredited bodies responsible for certifications, and monitoring bodies responsible for handling complaints and reported infringements.

Relevant articles: 8, 11, 25-39, 42, and 43 (for controllers and processors); 42 and 43 (for certification bodies); and 41 (for monitoring bodies).

Fines for less severe infringements can reach €10 million, or 2% of the firm’s worldwide annual revenue from the previous year. The fine will be set at whichever amount is higher.

More serious infringements

These infringements are the ones that violate the principles at the core of GDPR. They include basic processing principles, conditions for consent, rights of data subjects, and data transfers to international organizations or developing countries.

Relevant articles: 5, 6, and 9 (for processing principles); 7 (for consent); 12–22 (for the rights of data subjects); and 44–49 (for international transfers).

These fines can total €20 million, or 4% of the firm’s worldwide revenue, again depending on whichever amount is higher.

Anyone who handles people's data and private information must adhere to seven protection and accountability principles. Let’s go through each one, so you can understand how you’re protected, and what is expected of you if you run a small business.

1. Lawfulness, fairness, and transparency

Data should be treated according to the law, fair to the subject, and the purposes must be transparently available.

2. Purpose limitation

The data should be collected for a specific purpose, rather than vague and general. Any data collected by an organization outside the specified purposes is in violation of this principle.

3. Data minimization

Only as much data as needed must be collected. Any that exceeds that amount must meet the consent of the subject and its purposes be explicitly stated.

4. Accuracy

Accurate to the subject and up to date. Organizations must do all they can to ensure the data they hold is current.

5. Storage limitation

If the data is kept for longer than its intended purpose, it must be solely for archival purposes such as public interest, scientific or historical research purposes, or statistical purposes.

6. Integrity and confidentiality

The data must be kept safe and confidential. This is often done by encrypting the data collected.

7. Accountability

Organizations must be readily able to prove they are compliant with the above principles, and accountable for any failures to comply.

Germany upholds some of the strictest data protection laws among all EU states, particularly in the form of high fines for data and privacy breaches. In 2022, clothing company H&M incurred a fine of over €35 million for illegal surveillance of employees at the Nuremberg office in Germany.

GDPR compliance is of particular importance to SMEs in and outside the EU. Because GDPR laws for data protection apply to businesses and companies of all sizes, there really isn’t any difference between how corporations and SMEs should comply with the legislation.

That being said, since small-business owners may be starting out or experiencing large growth for the first time, they may be less experienced at navigating the strict data protection laws imposed by the EU.

Below are a few tips for small businesses to make sure they stay GDPR-compliant when starting out or experiencing a large, sudden growth in their customer base.

Performing a data audit may not be necessary, but it’s a good way to keep abreast of the condition and state of the data you hold. During a data audit, ask yourself these questions:

• Where is my data stored?
• What kinds of personal data am I processing?
• What is the legal basis for processing this data?
• Who currently has access to the data I am processing or storing?
• How long am I retaining this data?
• Are all the appropriate organizational processes in place for sorting this data?

Answering these questions will help you move forward compliantly as a business owner. You will need a plan for managing your data, and an audit on the existing personal data you have will be the best way to do this.

You likely depend on software and service providers to help manage the data you are storing. While these may be reliable and trustworthy, do a review of the current ones you're using and make sure they are up-to-date, compliant with any recent changes to GDPR, and appropriate for your current or projected customer base.

The main thing you want from your service providers is proof that they are compliant with GDPR.

Data processors and data controllers adhere to different principles of GDPR. It’s important that you understand which category your business fits into, so that you can ensure full GDPR compliance.

Data controllers determine the purpose and means of processing personal data, thereby ensuring it is being used appropriately and compliantly. Data processors perform operations on the data itself, which could refer to collection, structuring, storage, use, or disclosure.