If your small business includes buyers from EU countries, you will now need to comply with new data protection rules known as the General Data Protection Regulation, or GDPR.
GDPR is a new data protection law that took effect across Europe in May of 2018. The law is all about protecting personal data of EU citizens.
If you are a small business and have a mailing list, or a website that collects information from your customers, today’s lesson is important. After reading this post, you will have a better understanding of:
- Why GDPR came into effect
- What qualifies as personal data
- How to prepare your small business for GDPR
Why Did GDPR Come Into Effect?
GDPR came into effect largely because data protection laws have become outdated. The last time legislation regarding data protection was passed was as part of the 1998 Data Protection Act.
Since then, technology and our use of the internet has grown and transformed exponentially. Mobile phones, websites, and social media all collect and store personal data. But while the technology has advanced, the laws surrounding personal data have not.
The result is most buyers today feel they’ve lost control over how their personal data is collected, stored, and used. GDPR is a response to these concerns and addresses new ways to protect EU citizens’ personal data.
If you have an online business, an email marketing list, or a website, you must now put certain processes in place to protect the personal data of your EU buyers. To better understand how to do that, you will need to understand what qualifies as personal data.
What is Personal Data?
Personal data is any information that could be used to identify a person. Examples of personal data include:
- Email address
- Phone number
- Mailing address
- IP address
Each of these can potentially identify a human being. As a business, you are responsible for securely storing personal data like this for all of your EU buyers, and ensuring it stays private.
How Your Small Business Can Comply with GDPR
To help prepare your small business for GDPR, we’ve outlined a 3-step process you and your team can follow to be GDPR compliant. These three steps are:
- Understand what personal data you collect
- Inform buyers of what personal data you have
- Implement GDPR systems and allow easy opt-out
1. Understand What Information You Have
First, you will need to understand what personal data your small business is collecting, how it’s being collected, processed, and stored, and the purpose for its storage.
Identifying What Personal Data You Have
To understand what personal data you already have, audit your current data and marketing processes.
Create a list of all the tools used by your website and marketing programs. Most likely, each tool is collecting data on your behalf. According to GDPR, you must now know exactly what information each tool is collecting and how securely it’s being stored.
Organize Your Data
We suggest you begin storing all of the data you have on buyers in an organized manner. This will allow you to quickly and accurately provide access to information should a subscriber request to know what information you collect from them.
According to the new GDPR laws, you must send a report to any individual requesting information about their personal data being collected within 30 days and at no extra charge.
2. Inform EU Buyers You Collect Personal Data
Once you have an understanding of what personal data your small business is collecting, you must inform customers of exactly what information is collected, how it is stored, and your purpose for collecting it. You will inform them when they visit your website, sign up for an email list, and purchase a product online.
Create a Website Notice
Informing website visitors about your data collection practices can be done with a website notification. Much like cookie notifications, your GDPR notification must inform website visitors that you collect personal data and track website behavior. Under GDPR laws, you must have their consent before allowing use of your website.
Create a Fair Processing Notice (FPN)
The FPN is a document that clearly, without using legal jargon, explains what data you collect from website visitors, which companies are collecting it, why it’s collected, and how it will be used.
Each time a visitor shares personal data with your small business, they must have easy access to your FPN. Include a link to your FPN on your website notification pop up, and on any contact or email sign up forms.
3. Implementing Data Accessibility
Implementing GDPR systems into marketing departments is where most small businesses will struggle. For most organizations, this means updating current data collection points (such as contact forms), making sure data is securely stored, and removing any unnecessary personal data.
Update Your Contact Forms
If your website includes a contact form, make sure you’re saving submitted information to a secure server, and not your local server. If you are saving personal information on a local server, you are now legally responsible for keeping it secure and private. Storing emails submitted on contact forms in Google Drive, for example, is not GDPR compliant, as Google Drive does not (yet) meet GDPR privacy requirements.
Include Email Marketing Double Opt-In
If you have an email list, you must now double check with buyers that they do in fact want to receive email communications for you.
You meet this requirement by including a double-opt in email system. A double-opt in means subscribers who provide you with an email in exchange for a coupon or a free ebook won’t be added to your email list until they click a confirmation email that explicitly states your business intends to send marketing communications to their email address.
Review Website Analytics Data
Your website analytics tools capture browser information, browsing behaviors, and IP addresses that could potentially identify a human being. You can no longer hold onto personal data just in case you might need it in the future. If you don’t currently use data that you’re storing, remove it and the liability that goes along with it.
Implement Security Measures
What measures do you have in place to make sure nobody can leak, hack, or misplace your EU customers’ personal data? If you’re storing personal data digitally, ensure you have safety measures like antivirus software on your devices, and the ability to remotely wipe data from a device should you lose it.
Many small businesses also keep hard copies of personal data. If you have hard copies of your customers’ personal data, make sure it is locked away so no one can access the information.
Dealing with a Data Breach After GDPR
If a breach or hack occurs, GDPR law requires you inform your customers within 72 hours of the event. This means if there’s a security breach, if your marketing accounts have been hacked, or if your laptop has been stolen while you were logged into your business or marketing tools, you must inform your customers.
Remember, you are legally responsible for the personal data you collect. So if you don’t need a piece of personal data, we recommend you don’t store it.
As you implement these changes into your business processes, write down what safety measures you implement. This helps inform your own team members. If you’re ever investigated on behalf of the GDPR, these notes can help you and your team prove you’ve taken necessary precautions to stay GDPR-compliant.