5 GDPR tips for small business owners

GPDR tips for small business is the key topic of this article.

“If your company is ready for GDPR (General Data Protection Regulation), please raise your hand,”: the chairman asked the participants of the GDPR congress organized by Heliview. Guess how many people raised their hands?  Right, no one. The audience was full of representatives of large international businesses and public organizations, like ministries and such. Only lazy people have not been talking about GDPR last months, and it seems like most large companies are very concerned about this new privacy regulation which will come into action on the 25^th of May 2018.

But what if you own a small business with a couple of employees? Or what if you are a solopreneur, a blogger, or a freelancer with a small e-mail list? Do you need to comply with GDPR? The answer is YES.

In the past few months, I have investigated GDPR in-depth, mostly in the context of data management. Also, my focus lay on large organizations, as I work in a large bank. I even wrote an e-book on a strategy that would help a business comply with GDPR. But believe it or not, I’ve realized that I also needed to do something about my own small (freelance consulting) business only a couple of days ago. I have a few opt-in forms on my website and an e-mail list of a few hundred people. My Privacy Policy was written quite a while ago and needed some serious revision.

In this blog, I have summed up the top 5 GDPR tips for small businesses based on what I did myself in the context of my own business. Are you a blogger, run an online webshop, or own a different small business, keep reading and getting in action!

1. Think about what kind of personal data do you have and where it is stored.

When we talk about personal data, we mean data that identifies a natural person, such are you and me. Think of your customers, clients, subscribers, their names, addresses, e-mail addresses, contracts where names and addresses are mentioned. Photos of faces are also personal data, as well as comments that are left on your blog. In general, all data that could lead to identifying a person is subject to GDPR requirements.

It would help if you also thought about the location of this data. You are probably using hosting services for your website or using some cloud applications (e-mail marketing software, such as Mailchimp) for gathering and keeping your client information.  Excel sheets with your client’s names and addresses should also be considered, even if you have only saved it as a draft on your personal laptop.

As soon as you know exactly what data you have and where it is located, it is time to take the next step and update your privacy policy.

2. Update your privacy policy.

It doesn’t matter whether you already have a privacy policy or not. You should either update the existing one or create a new one. If you collect leads (possibly by offering free content), send out marketing emails or newsletters, or have contact forms that require filling in personal data, you can search for some standard policies on the Internet. Various websites offer free policies; some require you to answer a few questions first to set up a policy that fits your activities.

For my website DataCrossroads.nl, I used a combination of several sources for my privacy policy. I would definitely recommend you to check out the following websites:

• Digital.com

it provides a list of the 12 best sites where you can download standard policies. Not all of them are free of charge. Some of them, like Shopify, for example, focus on specific industries or countries

• Dsgvo-muster-datenschutzerklaerung.dg-datenschutz.de

It is a German website, but don’t worry, their policies are in English. I used the template provided on this site as the base, as, in my opinion, this template provided it the most complete and elaborate version. The template considers a lot of typical different situations when you get personal data from your contacts.

When updating your policy, the following aspects are critical, so pay some special attention to them:

• Which data are you collecting and in which situations;
• What are the purposes of the use of the collected data;
• How you satisfy the rights of data subjects (as defined in GDPR).

My last tip is: look up privacy policies of large corporations from your industry or run a business similar to yours and see if you have missed out on any points.

3. Sign a data processing agreement with your website host and other parties that access your data. 

It is important to know in which part of the world your host keeps their servers and, consequently, your contacts’ personal data. You will need to sign the data processing agreement with them. Also, don’t forget about other cloud services that might be storing your clients’ data.

According to GDPR, if you collect the information, you play the role of Controller. You delegate the responsibility to the Processor, in our case, your website host, to process the data on your behalf. Be aware, in case of a data leak; you still will be accountable for that. You need to sign the data processing agreement with your Internet services provider.

I was pleasantly surprised by multiple e-mails from Mailchimp – my e-mail marketing service, which collects and stores my e-mail lists.

When all of the preparatory paperwork is done, you still need to think about your existing contacts.

4. Send a request for consent to your existing contacts.

According to GDPR, after the 25^th of May, you are only allowed to keep the personal information of people who have given you explicit written consent for keeping and using this information. You need to ensure having received this consent is to write an email where you request your contacts to (once again) allow you to use their data after the 25^th of May. Do not worry; they do not have to sign a contract or anything like that; checking the box on a contact form is already considered written consent. Keep in mind that you should download the list of the ‘checked boxes’ as proof.

Now, the preparations are done, but what will you do on the 25^th of May and the days after?

5. Clean up your database with personal data and update your site

Officially, if your contacts haven’t given you explicit consent to keep their personal data, you need to delete their data on the 25^th of May. It’s up to you, but I would strongly advise you to send some info or newsletters to people that haven’t given you their consent yet. The more people you can ‘keep,’ the better, right? It is definitely worth a few extra e-mails!

After May 25^th, you should also check your website’s functionality. You have to be sure that all the new users will be able to give consent every time they share their personal data in the future. It means double-checking all contact forms, opt-in forms, and pages where people have to enter their e-mail to get free content. Also, do not forget to put a link to your brand new privacy policy somewhere on your website (a footer is a great place for that)!

I hope that after reading this, GDPR has become a bit less scary and that you now have a good idea about what you still have to do in the following couple of days! Good luck!

Oh, and if you want to read more on GDPR and how to large businesses prepare for it, make sure to download my FREE e-book GDPR meets Data Management.