GDPR is real, it lives among us, and 9-in-10 businesses suffer from it. I’m kidding of course, but it is the thing on everyone’s lips at the moment, and if you’ve been following the implementation of these new regulations then you’ll know that they come into play on the 25th of May this year… i.e. this Friday. Yikes. You may have noticed the big companies emailing you recently talking about it, and they’ve probably been working on it for months and months. However if you’re one of those ‘bury your head in the sand’ types and haven’t looked into it yet, don’t panic. While the below information can’t make the necessary changes to your business on your behalf, I thought it would be helpful to do a really basic, layman’s-terms rundown of what GDPR actually is, why it’s happening and how you can find out what you need to do.
I should start by saying that I am in no way an expert on this, far from it, and all small business owners are just working through these new regulations by themselves as best they can. That includes me. But I’m here to share what I have managed to figure out so far, and it’s up to you to apply this knowledge to your own business. Here we go…
What the heck even is GDPR??
I know right?! It doesn’t exactly roll off the tongue. GDPR stands for General Data Protection Regulations, and they come into force on Friday 25th May 2018. These will act as an update to the current Data Protection Act (1998), and apply to pretty much all businesses.
It can’t apply to me, surely?
It sure can. I joked above that 9-in-10 businesses suffer from it, while in fact the only type of business that I can imagine this doesn’t apply to in some way would be, for example, a business that sells handmade products at a local market, dealing only in cash. Even this is a stretch. Basically, if your business handles people’s data in any way, shape or form, then you need to be compliant with these new regulations. This includes everything from taking email addresses for your mailing list, collecting cookies on your website, or asking people for their personal information for marketing purposes. Also be aware that this may apply to you even if you are not a business, for example, a blogger who doesn’t make money. If you collect data, you need to be GDPR compliant.
Who is in charge of this GDPR nonsense?
The Information Commissioner’s Office handles these legal matters. You can find out more about the ICO and the new regulations here.
What happens if I just pretend it’s not happening?
In short, probably not a lot. But also, maybe something. Hope that clears it up for you. Basically if you are a small business it is highly unlikely that the ICO will randomly look into how you handle customer data, and they certainly won’t be doing that as soon as May 26th hits. However, it’s important to know that if someone now decided to make a complaint about the way you are handling their data, and you don’t have anything in place to show that you are doing things by the book, then you could get into trouble. The scope of that trouble is hard to say at this point, and it’s possible that a lot of the fines mentioned are scaremongering, however it’s still a real possibility, and definitely worth doing a few extra hours of admin to get your business in shipshape.
Do I need to hire a lawyer? I’ll never understand this stuff!
Wow, now. Calm down, there’s no need to get lawyers involved. I mean, you could if you are a slightly larger business and want to make sure that you are 100% compliant. It’s a good move. But if you are a small business and can’t afford to go spending on legal help, then I believe that you can take simple steps without a lawyer. When the ICO created these rules, the idea wasn’t to force small businesses to lawyer up and get compliant, it was simply to ensure that data is being held in the right way, so as long as you are taking steps toward being compliant, you’re on the right track. It’s helping us get our processes in order, it’s a good thing.
A good thing?! How can this be a good thing??
You may be a small business, but you’re also a consumer, and if the recent news stories have taught us anything *cough* Facebook *cough*, it’s that our data can, and should, be handled more effectively and safely. Although this is going to take some work in the beginning to make sure everyone is compliant, as we move forward it’s going to mean less of your information floating around the internet, being sold to other companies, and being used to hassle you with things you never asked to be hassled with. I believe it’s a good thing for human beings, and since we’re all human beings, it’s going to be a positive thing all round.
What even is data? Do I hold it?
It’s important to know what is defined as ‘data’. Personal data is defined as any information relating to an identifiable natural person (i.e. anyone who is alive). This means data that is kept online, on your computer, or in paper form. Most businesses hold data in some way, and you probably already have in mind some data that you hold on people. The new regulations mean that now it is not only the data controller who is responsible, it is the data processor too. As a business owner, you are the data controller, however if you work for someone else, you could be the data processor. It’s important that you know about these changes too, because you can be held responsible even as the data processor, and can’t rely on saying “someone else made me do it!”.
So what’s changing then?
Here we go! The main changes are to ensure that all data is processed according to the new laws, in a fair and transparent way. Firstly, you and the person whose data you are collecting need to be crystal clear on what data you are collecting, what you will do with it, and why it is relevant that you hold that data. Let’s use your mailing list as an example: if, in your signup form, you were not 100% clear on how often you will send emails, why you are sending them, and so on, then you may need to double check with the people on your list.
You are also now only able to email them for the purpose that you stated when they signed up, so if you told them you would be sending out weekly plant care tips, you cannot begin to send them information on the new knitting course that your second cousin has just launched. That’s not what they asked for.
In addition, data must only be kept while you need it, and as soon as you no longer need it, it gets properly disposed of. If you do decide to keep data, it also needs to be kept in a responsible way, taking measures to make sure it stays in your hands only.
Yeesh! Sounds like a lot of work. What exactly do I need to do?
The new ICO regulations are there to be interpreted by each individual in the way that they believe is best for the data that they hold, so I can’t tell you exactly what you need to do. However I can give you a few totally unofficial and very general recommendations that might help you start the process off.
- It’s a good idea to create a spreadsheet that lists the different types of people you may hold data on, i.e. customers, contractors, employees, etc., what exactly you hold and where you hold it, if it exists in systems outside of your own website.
- You are required to know how the different systems you use handle data within their sites, for example, MailChimp, Office365, Google Drive, and so on. For this, you need to look at their Privacy Shields information, which will tell you more. Add links to this information into your spreadsheet so you have them to hand if you are ever asked to share this.
- Make sure that everywhere you are collecting data, i.e. your website cookies, your mailing list, any quizzes or competitions, etc. makes it incredibly clear what people are signing up to and what you will do with their data.
- If you are using a mailing list, ensure there is a double opt-in activated. This means that people will have to double confirm that they definitely want to be on your list and receive emails from you.
- You also need to make sure that, when signing up, they are not being tempted to sign up using an offer of a freebie or something similar, and the opt-in and opt-out buttons need to be clear and of equal prominence. No more of those tiny little “Click here if you do not want to receive marketing from us” lines that you need a microscope to see, those were never ethical and now go against GDPR.
- If data that you have collected gets hacked, it is your responsibility to report this data breach to the ICO and to the people whose data has been taken as quickly as possible. Again, look into the ICO’s recommendations for how to deal with a breach.
- You may want to check out remote wiping software. This means that if your device is ever stolen or lost, you can remotely delete the data and hopefully stop it ending up in the wrong hands.
- Put strong passwords in place for all of your sites and devices. Make it super secure so that it is much less likely to be breached.
I want to finish by saying again that I am in no way an authority on this subject, and the points I have made above are simply notes from my own GDPR journey. It is so important that you take a look at the regulations from the ICO themselves to make your own impressions of them and apply them to your business.
That’s a lot of information to get your head around, but in summary, GDPR is not about stopping you keeping data, it’s simply about making you keep it responsibly. As long as you take steps to ensure you are doing things honestly and transparently, you most likely don’t need to worry.
Good luck with your last minute GDPR preparations, and I’ll see you on the other side!