If you’re wondering how gdpr affects small businesses, read on.

This post is for you if you’re a small business owner, freelancer, blogger, or have a website which processes personal data of any kind.

The important thing to remember is that GDPR is not about simply putting up a new privacy policy or a cookie consent box on your website. It is a robust legislation which is designed to change the way businesses collect and handle personal data online.

 

“The processing of personal data should be designed to serve mankind.”

Recital 4 EU GDPR

What constitutes ‘personal data’? Good question, and it appears that the creators of GDPR may not be so sure of the answer themselves. On the one hand we have obvious examples, like customer email address, their name or credit card details. This type of information is usually handed over knowingly and it’s easy to get the visitors’ consent before obtaining it.

But what about so called ‘cookie data’? With modern technology, we can start collecting personal information within nanoseconds of someone visiting your website. And yes, you can stick a pop up on your site and require that visitors tick it – and that continued browsing constitutes consent. But consent can no longer be assumed under GDPR – so what do we do next?

The truth is that no one really knows at this time. While we’re waiting for European Union’s supplementary legislation, the e-Privacy Directive, we can only speculate on what GDPR means for cookie data.

Some businesses are so unwilling to risk the 20,000,000 Euro penalty, they’re planning to block traffic to their sites from the European Union altogether. Others have created a black screen covering their whole website until the visitors explicitly agree to cookie data being collected.

None of these measures are necessary. Your best bet is to be as open and honest about all data collected as possible. Follow the GDPR advice, as outlined in this template by disclosing all parties with which you share customer data and how that data is used. Basically, don’t be sneaky and you should be fine.

Technology is playing catch-up with legislation in this case and data giants like Google and Facebook are now working hard to comply with GDPR and create tools to manage user consent. Soon, you can expect to see a program called Funding Choices developed by Google to get a clear ‘Yes’ or ‘No’ on whether the user wants to see advertising tailored to their interests (by using cookie data). But the internet is not expected to stop working while we’re waiting for this tool to be rolled out to all publishers.

So what ARE YOU expected to do to comply with GDPR as a small business owner, blogger, freelancer or owner of an information site?

First of all, don’t assume GDPR doesn’t apply to you. It doesn’t matter if you:

  • Don’t live and work in the European Union. If any of your website visitors or email subscribers do, you must observe their rights under EU legislation.
  • Are a one-person business. GDPR affects everyone, no matter the size of the business. Everyone is expected to comply, although liability may be limited for businesses under 250 employees. So you might avoid that 20,000,000 penalty after all. Fun fact, most small businesses in the UK are also required to register with the ICO if they handle personal data (which you almost certainly do). To check, you can fill out this assessment: https://ico.org.uk/for-organisations/register/self-assessment/

Now that we’ve established you do need to do something about GDPR, here’s what those steps should be:

1.Assign a Controller for your organisation. This will be the person responsible for all processes involving personal data and they need to be named in your Privacy Policy.

2. The controller needs to carry out an assessment of how your organisation currently collects and handles personal data. This assessment should be documented and needs to include listing all data processors who have access to the data and evaluating how those companies handle data.

So for example, a blogger from the UK will likely list Google, Facebook and Mailchimp as their data processors (processing personal data on their behalf). They should then check how that data is collected – are they outright asking the user’s permission to collect the data? Are they informing the user of what type of data is being collected and how it’s going to be used in plain language? Are they making it easy for them to read more, should they wish to do so?

If your assessment flags up any issues or risks, you are required to consult with a supervisory authority (in the UK that’s the ICO). Failure to do so can result in a penalty. So, for example, if you discover that the email system you use doesn’t maintain records of personal data (which they’re required to do) – you must inform the supervisory authority.

3. During your assessment you will also analyse the way in which you collect data at the moment and check if it’s in line with GDPR.

So for example, a standard lead magnet sign up box, like the one we’d find on almost any website:

4. Cookie policy pop up. For now, that is the most trustworthy method of accepting consent for cookie data being collected. Just make sure it links to your full cookie policy, so users can find out more if they wish to do so.

5. Publish a Privacy Policy on your website. This is the lowest hanging fruit for any authority which might want to verify if you’re GDPR compliant. I’ve created this GDPR Privacy Policy Cheatsheet which should be suitable for most bloggers and owners of informational websites to help you along. It includes all points required by the GDPR and is fully customisable. The Privacy Policy must list EVERYTHING the website user is agreeing to. If any of this information changes, you are required to contact the user and get them to consent again.

So for example, if your Privacy Policy states that you use MailChimp for your email communication and you change it to Active Campaign, you are legally required to get your subscribers to re-consent to their data being used by you.

6. Start maintaining a record of how you handle personal data. Demonstrate your safeguarding processes and how you monitor all your data processors. Be prepared to prove that you obtained consent for all of the personal data you handle.

7. If you suffer a personal data breach (like your website being hacked), you must notify the supervisory authority and the data subjects of that fact within 72 hours. Yes, that means you must email all your subscribers to tell them you’ve been hacked and their data might have been compromised.

I know this is a lot to take in. But before you close your website down and hide under your desk, frustrated with all those new requirements, send me an email, maybe I’ll be able to help. And check out the GDPR Privacy Policy cheatsheet I’ve prepared, it could save you hours of research and work!

Pin It on Pinterest

Share This

Share this post with your friends!