GDPR for small businesses
Countdown to 28th May 2018
The General Data Protection Regulation (GDPR) has been looming for a while now but you may have been putting off doing anything about it, possibly because you think it doesn’t have an impact on you.
Although initially the Information Commissioner’s Office (ICO) will likely be looking at high level or landmark cases it makes good business sense to make sure you are prepared and acting in the right way going forward.
What is it?
In its simplest terms the new GDPR regulations coming into force are about giving users control over their own data.
It is an EU law… what about Brexit?
The fact that it is an EU directive does not protect you, if you are outside the EU and marketing to Europeans you are bound by the same rules and so need to show you are protecting their data in the right way. Once Brexit happens, this regulation will be ported over to UK law anyway although it will probably be renamed.
There are only 5 of us, surely it is for the big companies?
This is partially true, in that unless you have more than 250 employees, or there is a real obvious business reason due to your data usage you will not need to employ or create a Data Protection Officer (DPO) role. However, you will still need to ensure you put processes in place to deal with users privacy, consent and data portability.
Subject Access Requests (SARs) & Right to Erasure
You may have heard of Google’s ‘Right to be forgotten’ as there have been some cases in the news. The GDPR has an implementation of this where by a person can request access to any data (SAR) that you hold on them and ask for it to be removed. There are various caveats to this but at the very least you need to have a good handle on what data you are holding on your customers and how to access it so you can take action if needed.
It used to cost money for someone to make a data request but the GDPR rules will mean it is free and you only have 30 days to comply.
Get the basics right
If you just have a newsletter sign up on your website, perhaps managed by Mailchimp then you will be able to keep on top of your responsibilities easily.
If you run an ecommerce website then there is going to be more data to keep tabs on so it would be well worth doing a data audit to check what information you collect and how it is stored.
There are a few things that if you haven’t stopped long ago you should look at right away.
- Checked checkboxes - You can no longer imply consent, a checkbox should be empty and the user choose to click it.
- Email lists - Buying an email list isn’t ideal for a variety of reasons but in this case, you are marketing to people who have not consented and as such will be breaching GDPR from the get go.
Keep calm and carry on
There is no reason to be overly alarmed about the changes that will take place at the end of May, the sun will still rise. A few simple checks and changes now though will make sure you are covered and can ignore the inevitable panic that will ensue. :)
Time spent trying to be productive
Prepare for GDPR - Understand your data