We are fast approaching the General Data Protection Regulation (GDPR) compliance deadline. The new regulation is due to start 25th of May, but you need to be prepared. If you are not prepared your business could pay large fines. This is our summary for small businesses.

What is GDPR?

GDPR has been created in order to provide individuals more control over their personal data and to protect their identity. The regulations will also unify implementation across the EU.

You can break down GDPR into the following rights for the individual:

  1. The right to access any data that you may hold for them,
  2. The right to be forgotten, i.e deleted from your records,
  3. The right to provide explicit consent.

For some businesses it is a bit of a game changer and there are still many grey area’s.

What does GDPR mean for a small business?

When GDPR takes effect you will need to have a firm understanding of what data you have, why you have it, where it comes from, what you do with it and how you keep it safe. If you don’t keep your data safe you could see fines of up to €20 million or 4% of annual turnover, whichever is least.  You will need to show that you are organised, have a good process and have a good trail. GDPR forces you to prove that the data you ask for is necessary to improve your business or your customers’ experience. You will need to audit your current data collection processes and storage, and update your policies. As a data controller (and/or data processor) you are obliged to be able to answer the following:

  1. What groups of individuals do you store data for (employee, supplier, customer, marketing etc)?
  2. Exactly what data is being stored? You will need to be as detailed as possible and list each data field along with with the reason for storing it.
  3. Do you have actual explicit consent to hold this data including exactly how/when was it provided (and could you prove it)?
  4. Where are you storing data (paper, website, marketing software, accounting packages, CRM etc)
  5. Who has access to your data?
  6. Are your data storage providers and data users compliant? Find out how your third-parties are complying with GDPR and how they might inadvertently have access to your data.
  7. Is your data safe? What security and privacy provisions do you have in place?  Your employees, extended team and third-parties will need to extend your privacy policy.
  8. Are you keeping data up to date and are you removing data that you no longer require?
  9. Would you be able to provide an individual with a record of all of their data?

You should be able to document all of this clearly in a GDPR data audit.

You’ll need to look at all of your contracts, web forms, signups and terms (for all data groups) and check that you have gained explicit consent – nothing hidden or implied – you need very clear consent. If challenged at any time you will need to be able to provide evidence of consent and the date it was provided.

Individuals consenting must be provided with details of exactly what data is being stored, where it’s being stored and details of how to have their data amended or deleted. You don’t have to be able to provide an automated system but you do need to have thought about how you can provide this and to let individuals know what they need to do. Realistically this could also be handled in contracts, terms, signups and your privacy policy.

What does this mean for a small business website?

Making your websites compliant for most small business is technically not very difficult but you may need a developer to help with the implementation and to take some legal advice about your contracts and how you are communicating compliance. This is our checklist:

  1. Are you keeping your website safe and secure? If you are either storing, capturing or processing any personal information on your website you will need to make sure that you can show due diligence for keeping your website free from malicious content and users.  For many small business this will mean signing-up to a website security package that checks for hacks and malicious users.  This is not usually something that your hosting company will provide and many small business owners do not always realise that they are not covered.  Please check that you can prove that you are maintaining your website, especially if you are using WordPress or any open-source platform that should be maintained regularly (weekly/monthly).
  2. Do all of your sign-up forms on your website capture explicit consent with a very clear link to your privacy/GDPR policy?
  3. Are you able to capture less information or to provide a contact method for those who do not want to provide consent?
  4. Is your privacy/GDPR policy easy to find, easy to understand and does it cover all of the points covered in this article?
  5. Does your website store any data? If so, is the data safe? Is the data backed up and if it is backed-up is your backup safe?
  6. What third parties integrate with your website – analytics, tracking, developers, freelancers, third-party software, hosting companies etc? Are they compliant and can you prove it?
  7. If your website is a membership website, application or service that actually relies on storing and processing user data you will need to ensure that you comply with GDPR and that your terms of use cover all of the points outlined above.
  8. If you are using third-parties like Mailchimp you should take some time to understand any changes that they have made that affects the way your website users sign-up. For example has the opt in process changed in anyway?
  9. Finally it might be a good idea to email your entire marketing database and ask them to re-opt in to a new list which you will have created to be GDPR compliant.

GDPR is a legal requirement, I am not a legal expert and all of the information above is provided as a helpful checklist.

Get our news direct to your inbox

Subscribe to our mail list