GDPR Compliance Tips for Small and Medium-Sized Businesses, 0218 COBJ, Vol. 47, No. 2 Pg. 12

Position:Vol. 47, 2 [Page 12]

47 Colo.Law. 12

GDPR Compliance Tips for Small and Medium-Sized Businesses

Vol. 47, No. 2 [Page 12]

The Colorado Lawyer

February, 2018



In the fall of 2016, I was just digging in to start compliance efforts for the EU Privacy Shield when my general counsel pulled me aside. “You can stop working on Privacy Shield,” she said. “There’s something called GDPR coming, and it’s way bigger.” Thus began my odyssey with the European Union’s General Data Protection Regulation (GDPR). I am an in-house lawyer for a company that must comply with GDPR because we collect and process user information from around the world, including the European Union.

Effective May 25, 2018, GDPR tries to reverse the current business-centric structure of user privacy. Repealing the existing patchwork of national laws, GDPR applies to entities controlling or processing personal information in the EU and to entities outside the EU performing the same on people within the EU.

While the large potential fines are scary and full compliance seems out of reach for many small and medium-sized businesses (not to mention their in-house counsels), the regulation itself becomes less scary when one understands its aims and prioritizes compliance efforts around high-risk areas. This article is neither a complete guide to GDPR nor legal advice; the intent is to cut through the panic around GDPR’s implementation and provide a useful mental model for compliance planning.

GDPR’s Philosophy

What ties GDPR’s requirements together is the simple proposition that users, not businesses, should control their personal information. But consider the friction GDPR introduces to the current harvesting and monetizing of user data. Clicking through a long, unreadable privacy policy used to pass muster, but now users may need to separately agree to some uses of their personally identifiable information (PII) by a business. GDPR greatly expands the definition of PII to include any unique ID, including cookies, RFID tags, or other information that, alone or combined with other information, could be used to identify or single out an individual. Generic privacy policy phrases like “we use third-party service...

To continue reading