5 GDPR Tips for Small Business Owners

GPDR tips for small business is the key topic of this article.

“If your company is ready for GDPR (General Data Protection Regulation), please raise your hand,”: the chairman asked the participants of the GDPR congress organized by Heliview. Guess how many people raised their hands? Right, no one. The audience was full of representatives of large international businesses and public organizations, like ministries and such. Only lazy people have not been talking about GDPR the last few months, and it seems like most large companies are very concerned about this new privacy regulation which will come into action on May 25th, 2018.

But what if you own a small business with a couple of employees? Or what if you are a solopreneur, a blogger, or a freelancer with a small email list? Do you need to comply with GDPR? The answer is YES.

In the past few months, I have investigated GDPR in-depth, mainly in the context of data management. Also, my focus lies on large organizations, as I work in a large bank. I even wrote an e-book on a strategy to help a business comply with GDPR. But believe it or not, I realized I also needed to do something about my small (freelance consulting) business only a few days ago. I have a few opt-in forms on my website and an email list of a few hundred people. My Privacy Policy was written quite a while ago and needed severe revision.

In this blog, I have summed up the top 5 GDPR tips for small businesses based on what I did myself in the context of my own business. Are you a blogger, run an online webshop, or own a different small business, keep reading and getting in action!

1. Think about what kind of personal data you have and where it is stored.

When we talk about personal data, we mean data that identifies a natural person, such are you and me. Think of your customers, clients, and subscribers, their names, addresses, email addresses, and contracts where names and addresses are mentioned. Photos of faces are also personal data, as well as comments that are left on your blog. In general, all data that could lead to identifying a person is subject to GDPR requirements.

It would help if you also thought about the location of this data. You probably use hosting services for your website or some cloud applications (email marketing software, such as Mailchimp) for gathering and keeping your client information. Excel sheets with your client’s names and addresses should also be considered, even if you have only saved it as a draft on your personal laptop.

As soon as you know precisely what data you have and where it is located, it is time to take the next step and update your privacy policy.

2. Update your privacy policy.

It doesn’t matter whether you already have a privacy policy or not. You should either update the existing one or create a new one. Suppose you collect leads (possibly by offering free content), send out marketing emails or newsletters, or have contact forms that require filling in personal data. In that case, you can search for some standard policies online. Various websites offer free policies; some need you to answer a few questions first to set up a policy that fits your activities.

For my website DataCrossroads.nl, I used a combination of several sources for my privacy policy. I would recommend you check out the following websites:

• Digital.com

It provides a list of the 12 best sites where you can download standard policies. Not all of them are free of charge. Some of them, like Shopify, for example, focus on specific industries or countries.

• Dsgvo-muster-datenschutzerklaerung.dg-datenschutz.de

It is a German website, but don’t worry; their policies are in English. I used the template provided on this site as the base, as, in my opinion, this template provided the most complete and elaborate version. The template considers a lot of typical different situations when you get personal data from your contacts.

When updating your policy, the following aspects are critical, so pay some special attention to them:

• Which data are you collecting, and in which situations;
• What are the purposes of the use of the collected data;
• How do you satisfy the rights of data subjects (as defined in GDPR)?

My last tip is: to look up the privacy policies of large corporations from your industry or run a business similar to yours and see if you have missed out on any points.

3. Sign a data processing agreement with your website host and other parties that access your data. 

It is important to know in which part of the world your host keeps their servers and, consequently, your contacts’ personal data. You will need to sign the data processing agreement with them. Also, don’t forget about other cloud services that might be storing your clients’ data.

According to GDPR, if you collect the information, you play the role of Controller. You delegate the responsibility to the Processor, in our case, your website host, to process the data on your behalf. Be aware in case of a data leak, you still will be accountable for that. You need to sign the data processing agreement with your Internet services provider.

I was pleasantly surprised by multiple emails from Mailchimp – my email marketing service, which collects and stores my email lists.

When all the preparatory paperwork is done, you still need to consider your existing contacts.

4. Send a request for consent to your existing contacts.

According to GDPR, after May 25th, you are only allowed to keep the personal information of people who have given you explicit written consent for keeping and using this information. You need to ensure having received this consent is to write an email where you request your contacts to (once again) allow you to use their data after May 25th. Do not worry; they do not have to sign a contract or anything like that; checking the box on a contact form is already considered written consent. Keep in mind that you should download the list of the ‘checked boxes’ as proof.

Now, the preparations are done, but what will you do on May 25th and the days after?

5. Clean up your database with personal data and update your site

Officially, if your contacts haven’t given you explicit consent to keep their personal data, you need to delete their data on May 25th. It’s up to you, but I would strongly advise you to send some info or newsletters to people that haven’t given you their consent yet. The more people you can ‘keep,’ the better, right? It is definitely worth a few extra emails!

After May 25th, you should also check your website’s functionality. You have to be sure that all the new users will be able to give consent every time they share their personal data in the future. It means double-checking all contact forms, opt-in forms, and pages where people have to enter their email to get free content. Also, do not forget to put a link to your brand-new privacy policy somewhere on your website (a footer is a great place for that)!

I hope that after reading this, GDPR has become a bit less scary and that you now have a good idea about what you still have to do in the following couple of days! Good luck!

Oh, and if you want to read more on GDPR and how large businesses prepare for it, make sure to download my FREE e-book, GDPR meets Data Management.

For more insights, visit the Data Crossroads Academy site: //academy.datacrossroads.nl