‘If your company is ready for GDPR (General Data Protection Regulation), please raise your hand’: the chairman asked the participants of the GDPR congress organized by Heliview. Guess how many people raised their hands? Right, no one. The audience was full of representatives of large international businesses and public organizations, like ministries and such. Only lazy people have not been talking about GDPR last months and it seems like mostly large companies are very concerned about this new privacy regulation which will come in action on the 25th of May 2018.
But what if you own a small business with a couple of employees? Or what if you are a solopreneur, a blogger, or a freelancer with a small e-mail list? Do you need to comply with GDPR? The answer is YES.
In this blog, I have summed up the top 5 GDPR tips for small businesses, based on what I did myself in the context of my own business. Are you a blogger, run a online webshop, or own a different small business, keep on reading and get in action!
1. Think what kind of personal data do you have and where it is stored.
When we talk about personal data, we mean data that identifies a natural person, such are you and me. Think of your customers, clients or subscribers, their names, addresses, e-mail addresses, contracts where names and addresses are mentioned. Photos of faces are also personal data, as well as comments that are left on your blog. In general, all data that could lead to the identification of a person is subject to GDPR requirements.
You should also think about the location of this data. You are probably using hosting services for your website or use some cloud applications (for example e-mail marketing software, such as Mailchimp) for gathering and keeping your client information. Excel sheets with names and addresses of your clients should also be taken into account, even if you have only saved it as a draft on your personal laptop.
As soon as you know exactly what data you have and where it is located, it is time to make the next step and update your private policy.
it provides a list of 12 best sites where you can download standard policies. Not all of them are free of charge. Some of them, like Shopify for example, focus on specific industries or countries
It is a German website, but don’t worry their policies are in English. I used the template provided on this site as the base, as in my opinion it was provided the most complete and elaborate version. The template takes into account a lot of typical different situations when you get personal data from your contacts.
When updating your policy, the following aspects are very important, so pay some special attention to them:
- Which data are you collecting and in which situations;
- What are the purposes of the use of the collected data;
- How you satisfy the rights of data subjects (as defined in GDPR).
My last tip is: look up privacy policies of large corporations from your industry, or run a business similar to yours and see if you have missed out on any points.
3. Sign a data processing agreement with your website host and other parties that access your data.
It is important to know in which part of the world your host keeps their servers, and consequently the personal data of your contacts. You will need to sign the data processing agreement with them. Also, don’t forget about other cloud services that might be storing your clients’ data.
According to GDPR, if you collect the information, you play the role of Controller. You delegate the responsibility to the Processor, in our case your website host, to process the data on your behalf. Be aware, in case of data leak you still will be accountable for that. It is important for you to sign the data processing agreement with your Internet services provider.
I was pleasantly surprised by multiple e-mails from Mailchimp – my e-mail marketing service, which collects and stores my e-mail lists.
When all of the preparatory paperwork is done, you still need to think about your existing contacts.
4. Send a request for consent to your existing contacts.
According to GDPR, after the 25th of May, you are only allowed to keep personal information of people, who have given you explicit written consent for keeping and using this information. So, what you need to do to ensure having received this consent, is to write an email where you request your contacts to (once again) allow you to use their data after 25th of May. Do not worry, they do not have to sign a contract or anything like that, checking the box on a contact form is already considered written consent. Keep in mind that you should be able to download the list of the ‘checked boxes’ as proof.
Now, the preparations are done, but what will you do on 25th of May and the days after?
5. Clean up your database with personal data and update your site
Officially, if your contacts haven’t given you explicit consent to keep their personal data, you need to delete their data on the 25th of May. It’s up to you, but I would strongly advice you to send some info or newsletters to people that haven’t given you their consent yet.The more people you can ‘keep’ the better, right? It is definitely worth a few extra e-mails!
I hope that after reading this, GDPR has become a bit less scary, and that you now have a good idea about what you still have to do in the following couple of days! Good luck!
Oh, and if you want to read more on GDPR and how to large businesses are preparing for it, make sure to download my FREE e-book GDPR meets Data Management.