Understanding the GDPR: history, protection, and small businesses

The EU’s GDPR is explained in a complex, several hundred page document. It’s not likely you have the time to read all of it, but its contents are important for people living in EU countries like Germany.

The GDPR affects how you do business as a small business owner, as well as any organization worldwide dealing with people in the EU. There are regional specificities for each EU state, meaning it is important to understand how the GDPR works in your particular country.

In this  blog, we’ll break down the most important points contained in the GDPR’s long document. We’ll go over what it is, the history, and the recent important changes you need to know about.

GDPR stands for General Data Protection Regulation and is currently the strictest privacy and security law on earth.

By putting restrictions on organizations anywhere in the world that collect or use data on people in the EU, the GDPR aims to protect citizens against those who violate its privacy and security standards.

As more businesses and people conduct personal and professional activities online, these regulations become increasingly crucial, and must be tightened and reformed with each passing year. This is a challenging prospect for those responsible for upholding the GDPR, but it remains of utmost importance to their mission.

Understanding the GDPR means understanding the right to privacy. Getting a full grasp on it means going back to 1950, when the European Convention on Human Rights stated ‘Everyone has the right to respect for his private and family life, his home and his correspondence.’ On this basis, the EU has sought to protect citizens of their right to privacy.

The progression of technology meant that the EU needed to update its regulations. Here’s a brief timeline of the dates on which the GDPR was forced to progress to its current state.

1950: The European Convention on Human Rights establishes that everyone and their family has a right to privacy for themselves and their families.

1995: After the first banner ad appears online in 1994, the EU passes the European Data Protection Directive. This establishes minimal data privacy and security standards, with each member allowed to set its own rules.

2000: Major financial institutions begin offering online banking, making protection of financial data a crucial element.

2006: Facebook opens to the public, resulting in a proliferation of sensitive, online personal information of a large sector of the public worldwide.

2011: The United States vs Google LLC sees the first instance of a data breach against a major online company. Following this, the body responsible for data protection in the EU demands a more comprehensive approach to personal data protection. This results in work beginning on an update to the 1995 directive.

2016: The GDPR is passed by the European Parliament.

2018: After May 25 of this year, all organizations are expected to be compliant with GDPR laws.

Violating GDPR laws is very costly. Fines apply to business sizes ranging from micro-enterprises to multinational corporations, with amounts scaled to match the revenue of the business and seriousness of the violations.

The GDPR splits infringements into two tiers:

Less severe infringements

These infringements monitor data controllers and data processors, accredited bodies responsible for certifications, and monitoring bodies responsible for handling complaints and reported infringements.

Relevant articles: 8, 11, 25-39, 42, and 43 (for controllers and processors); 42 and 43 (for certification bodies); and 41 (for monitoring bodies)

Fines for less severe infringements go up to €20 million, or 4% of the firm’s worldwide annual revenue from the previous year. The fine will amount to whichever is higher.

More serious infringements

These infringements are the ones that violate the principles at the core of the GDPR. They include basic processing principles, conditions for consent, rights of data subjects, and data transfers to international organizations or third world countries.

Relevant articles: 5, 6, and 9 (for processing principles); 7 (for consent); 12 - 22 (for the rights of data subjects); and 44 - 49 (for international transfers)

These fines can total €4 million or 4% of the firm’s worldwide revenue. Again subject to whichever amount is higher.

Anyone who handles the data and private information of people must adhere to 7 protection and accountability principles. Let’s go through each one, so you can understand how you’re protected, and what is expected of you if you run a small business.

1. Lawfulness, fairness and transparency

According to the law, fair to the subject, and its purposes transparently available.

2. Purpose limitation

The data should be collected for a specific purpose, rather than vague and general. Any data collected by an organization outside of the specified purposes is in violation of this principle.

3. Data minimization

Only as much data as needed must be collected. Any that exceeds that amount must meet the consent of the subject and its purposes be explicitly stated.

4. Accuracy

Accurate to the subject and up to date. Organizations must do all they can to ensure the data of their subjects is current.

5. Storage limitation

If the data is kept for longer than its intended purpose, it must be solely for archival purposes such as public interest, scientific or historical research purposes, or statistical purposes.

6. Integrity and confidentiality

The data must be kept safe and confidential. This is often done by encrypting the data collected.

7. Accountability

Organizations must be readily able to prove they are compliant with the above principles, and accountable for any attempts failures to comply.

Germany imposes some of the strictest data protection laws among all the EU states, particularly in the form of high fines for data and privacy breaches. In 2022, clothing company H&M incurred a fine of over €35 million for illegal surveillance employees at the Nuremberg office in Germany.

GDPR compliance is of particular importance to SMEs in and outside of the EU. Because the GDPR’s laws for data protection apply to businesses and companies of all sizes, there really isn’t any difference between how corporations and SMEs should comply with GDPR laws.

That being said, since small business owners may be starting out or experiencing large growth for the first time, they may be less experienced at navigating the strict data protection laws imposed by the EU.

Below are a few tips for small businesses to make sure they stay GDPR compliant when starting out or experiencing a large, sudden growth in their customer base.

Performing a data audit may not be necessary, but it’s a good way to keep abreast of the condition and state of the data you hold. During a data audit, ask yourself these questions:

• Where is my data stored?
• What kinds of personal data am I processing?
• What is the legal basis for processing this data?
• Who currently has access to the data I am processing or storing?
• How long am I retaining this data?
• Are all the appropriate organizational processes in place for sorting this data?

Answering these questions will help you move forward compliantly as a business owner. You will need a plan for managing your data and an audit on the existing personal data you have will be the best way to do this.

You likely depend on software and service providers to help manage the data you are storing. While these may be reliable and trustworthy, do a review of the current ones you depend upon and make sure they are up to date, compliant with any recent changes to the GDPR, and appropriate for your current or projected customer base.

The main thing you want from your service providers is proof that they are compliant with the GDPR.

Data processors and data controllers adhere to different principles of the GDPR. It’s important that you understand which category your business fits into, so that you can ensure compliance with the GDPR.

Data controllers determine the purpose and means of processing personal data, thereby ensuring it is being used appropriately and compliantly. Data processors perform operations on the data itself, which could refer to collection, structuring, storage, use, or disclosure.