What does GDPR stand for and why does it exist?
GDPR stands for The EU General Data Protection Regulation, and it comes into force on 25th May 2018. It replaces the current national Data Protection regulations to bring everything under a single framework.
Over the last few years’ technology and our use of it has grown rapidly, and data protection laws have become outdated. The new legislation signifies the importance being placed on the protection of our personal and sensitive data, which is great news for us as the general public.
You may have heard a lot of hype around the subject, or you may not know anything about it at all. Either way, this blog post is aimed at giving you some knowledge of the basics so you can go ahead and conduct your own research and make an informed decision on the steps you need to take to ensure your business is GDPR compliant.
How does it affect me as a small business owner?
The legislation applies to any business that collects, stores, or processes the data of those residing within the EU. This means that even if your business is not based within the EU, if you are dealing with customer data, client data, or data for marketing purposes of those that live in the EU it still applies to you and your business.
In short, you should be treating any data in the correct way and you have full accountability as the business owner to know where the data you hold comes from, why you’re holding it, and exactly what it’s being used for.
Put yourself in the shoes of the person you hold the information of. Depending on your type of business there will be data you hold that shouldn’t get into the wrong hands, or shouldn’t be used in any other way that has not been agreed to. You have a duty of care to ensure as far as is in your control that you are treating this data with the respect it deserves.
That being said, if you’re self-employed, or a business of one or have only a few employees it really shouldn’t be a problem for you at all. You shouldn’t feel scared or overwhelmed and the chances are that you’re already doing most of the things you should be doing and there are maybe just a few tweaks you need to make to ensure you’re compliant.
The new legislation places an emphasis on protection, as long as you’ve taken the necessary steps to educate yourself on the subject and put into practice the things you’ve learnt you’re unlikely to be in any hot water.
A new opportunity
Possibly the biggest shift the new legislation may bring about is a cultural one. Individuals will be more switched on and aware that they can question the way their data is being used. By making your intentions for using the data you hold explicitly clear from the beginning, you have a great opportunity to build trust with clients and new prospects.
People will appreciate that you’re taking this kind of thing seriously and are more likely to trust you with their custom. In an age where spam emails buzz about our inboxes like annoying flies, making sure you’re one of those people that treats email addresses and other data you hold with respect means you’ll have a competitive advantage.
Your marketing database will be cleaner, meaning you’re not paying for subscribers that aren’t engaged, and your marketing is likely be more targeted and effective.
What information does GDPR cover, and how do I go about making sure I’m compliant?
This is not a question that can be answered easily as each business is very different.
I suggest you watch the free training session provided by Suzanne Dibble – the small business law expert. The training goes into great detail about all the things you need to think about and the steps you can take. She also offers a compliance pack you can purchase which is well worth the price compared to what you would pay for individual legal advice.
The training session and pack are both available from this link: https://suzannedibble.com/gdprpack
(this is not an affiliate link, I am sharing this with you because I genuinely valued this training session.)
Suzanne also has a free facebook group with even more training videos so please also check out this invaluable resource: https://www.facebook.com/groups/GDPRforonlineentrepreneurs
One of the first things you should do is really review where all the data you hold is coming from, where it's stored, and whether you share it with anyone. Suzanne goes through all of this in her training, but if you don't already use some kind of CRM (Customer relationship management) software, it's a good time to set something like this up.
When all the data from your clients and leads is stored in one central place you know where it is at all times and exactly who has access to it. Your database is password protected, and when you use a well-known software provider they will be very aware of issues like cyber security and will likely already be GDPR compliant or working towards being compliant.
It's important to note here that if you are based within the EU, you should check with your software provider where their company and servers are based, as transferring data outside of the EU is restricted under GDPR to ensure the level of protection afforded by the it is not undermined. Companies outside of the EU are required to apply for a Privacy Shield Certification, please do conduct your own research into this and look at all the resources in Suzanne Dibbles Facebook group.
How will this affect my marketing emails?
A good rule of thumb for email marketing, just like with storing information from clients and leads, is to use specific software to store your list and send your emails from. It's very likely that you already use software like Mailchimp or Convertkit, but again do check that whatever you're using, they are working towards GDPR compliance, and if they're not EU based they are part of the Privacy Shield.
The email marketing software I use is called Mailerlite and handily they are based within the EU. They recently released a blog post that explains that GDPR can actually be a really good thing for your email list.
It's not necessary to get a 'double opt-in' from your subscribers, but it is necessary that you have their consent to send the emails you plan to send from the very beginning and that they've been told exactly what they'll be receiving. This means on your sign-up forms on your website you need to be very clear about what they are signing up for and what your emails will contain
It's not enough to simply say "you'll receive emails from us from time to time", There will need to be a tick box on your sign up form so that individuals can give their active and explicit consent rather than just being blinded by the shiny offer or lead magnet. Be specific and explain what your emails will contain with your tick box, and make sure it is not 'pre-ticked' so they can be active in giving their consent.
If you're unsure whether you have active and explicit consent from everyone on your current email list, it's a good idea to revalidate all your subscribers by sending an email out explaining that you're taking a serious view on the new GDPR regulations and you would love to know if they are still happy to be on your list.
The result of this is a cleaned up list where you know the people that are there are engaged and interested. You won't be paying for sending emails to people who can't remember who you are or who never open and read your emails anyway.
For more information about GDPR compliant email marketing read the blog post by Mailerlite here: https://blog.mailerlite.com/gdpr-and-how-compliance-can-improve-your-email-marketing/
The 'Supply Chain' side of your business
As a final point I want to just dive in a little deeper for those businesses that aren't just based online. If you're a product based business selling through social media, an online shop, a bricks and mortar shop, or you use any third party software or supplier you'll also need to consider another side of your business - your supply chain.
That may not be a term you've thought of in relation to your small business before, but no matter how small scale, you are likely to be part of a supply chain. Not sure if your business is involved in a supply chain? Here's the definition of 'Supply Chain' from Wikipedia to clear that up (gotta love WIki right?)
"A supply chain is a system of organisations, people, activities, information, and resources involved in moving a product or service from supplier to customer. Supply chain activities involve the transformation of natural resources, raw materials, and components into a finished product that is delivered to the end customer."
Even my own business which is mostly based online is involved in a small scale supply chain. When I order printed products for my branding customers, I use a third party printer who carries out the printing work, packages it up and delivers it through a courier directly to my client. I also use a payment processor when taking payments for my services. These are instances when I am sharing customer data with another person or business, and it's important to be aware that I am still responsible for the data at these times too.
It's a good idea to review existing supplier relationships and any existing instances that involve you sharing customer data. Are these businesses reputable? Do they have the correct technical and organisational measures in place? Do they make it clear that they themselves are GDPR compliant? If not, then ask. It's a good idea to be pro-active and make checks before sharing data, even if it's as simple as checking their website for an up-to-date privacy or data protection policy.
To read the official guidelines from the ICO please see them here: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/
I hope this has helped to give you an overview about some of the things you need to think about and lots more to go and research and learn for yourself. The key thing here is being an intentional and accountable business owner, it's important to understand legal and cultural shifts that could affect your business, so go forth and learn!
Disclaimer: The information I present in this blog post should not be taken as legal advice. I am not a lawyer, nor do I claim to know everything about this subject. This blog post is an introduction only and is aimed at helping you, as a small business owner, to begin to understand the steps you may need to take and is only a starting point. I recommend that you look at the links I present for further reading, but also increase your knowledge by conducting your own research. I accept no liability for any reliance you place on the content I have delivered here.