How to Stay GDPR Compliant for Small Businesses
This isn’t the most exciting post, but it is important because if you have a website or offer services and you don’t comply with GDPR, you could be fined 20 million Euro.
The General Data Protection Regulation (GDPR) goes into effect May 25th 2018 and it is to enhance the rights of EU citizens to protect their personal information.
Does it Affect You?
If you offer products or services to citizens in the EU – YES it does
If you collect information from citizens of the EU – YES it does
I’ll start with the aspect of the GDPR that will affect most people reading this.
If you send emails or do email marketing:
Anyone on your email list that did not give explicit consent to receive emails from you, must be asked to opt-in again, and you MUST clarify when they opt in that they are giving consent to receive emails from you.
If you sold someone something or offered a free download in exchange for an email, and then they were automatically added to your email list, but they never checked a box that said they give you permission, or on your opt in form/sales form, you didn’t tell them that buy doing so they were giving you permission to email them in the future, you MUST ask them to opt in again, and you MUST make it clear that by opting in, they are giving consent to get emails from you.
If your opt-ins forms or check out forms DID NOT clearly say that by opting in or buying, they give permission to receive emails from you, then you must:
- Update all your opt-in forms and sales pages to include a checkbox that say the person agrees to receive emails.
- Keep accurate records of everyone who checked the box, and only send emails to people who checked the consent box
If you didn’t already have a consent box and a record of people who checked a consent box, then if you send an email to someone in the EU after May 25, 2018 and they didn’t consent, you could be fined a very large amount of money (up to 20 million Euro).
If you haven’t been specifically asking your opt ins and buyers for consent to send emails, then send an email to everyone in your list and ask them to opt in again and on your opt in page be sure to specify that by opting into that form, they give consent to receive emails.
Yes, this is a big pain in the butt, and your list size will decrease A LOT! But at least you won’t have any problems with any GDPR Supervising Authorities (SA).
Is it worth the hassle and decreased list size?
When it comes to how the GDPR will be enforced, it’s up to each EU country to assign their own SA, and then each SA will have their cronies who find offenders and take action against them. I’m pretty sure they will only be targeting big companies that are collecting lots of data.
I don’t think small companies or mom & pop shops will have much to worry about. I can’t say for sure since nothing has gone into effect yet, but if you think about how many small businesses (globally), bloggers, websites, etc.. will be violating a few rules of the GDPR, the number is in the millions.
I’m NOT saying that if you’re a small blogger, or have your own small company, that you shouldn’t be GDPR compliant…I’m just saying that the enforcement aspect of it (considering how many specific rules and requirements the GDPR has) is practically impossible unless they have some incredible AI technology that does all the work for them.
ACTIONS YOU SHOULD TAKE NOW
- Add a Cookie Consent script or plugin to your page. I use WeePie Cookie Allow for my WP sites and it meets all GDPR cookie consent requirements and only costs $20 per website.
- What personal information you collect
- How and why you collect it
- How you use it
- How you secure it
- Any third parties with access to it
- Any cookies you use (Google Analytics, FB Audiences, etc…)
- How users can control any aspect of this
- The 8 rights of users (covered later in this post)
In my opinion, big companies with large user databases will have to take a lot of action to be GDPR compliant because if they don’t they could get in a lot of trouble.
I don’t think small companies really have a lot to worry about if they’re only collecting basic personal information and they’re not selling it or giving it to others and if they follow the above two actions I listed.
If you collect information
You must first determine what type of information you are collecting, Personal Information or Sensitive Personal Information
Personal Information means any of the following
- Email Address
- Photos or Videos
- Online Identifies – IP addresses, cookies, etc..
- Lawful, Fair and Transparent – Data processing must not violate the GDPR tests. You must be open about what you’re collecting and your process must match up with what you claim.
- Limit your Purpose – Only collect data for “specified, explicit and legitimate” purposes and no others without further consent.
- Minimize Collection – Limit the amount of data you collect to what’s adequate and relevant for the purpose.
- Be Accurate – Make sure the data you collect is accurate and kept up to date.
- Limit Storage Time – Keep data for no longer than necessary and remove data after it’s no longer required.
- Protection and Confidentiality – Handle data carefully so as to secure it against loss, damage and destruction.
You must also satisfy at least one of the following processing conditions
- Consent – This one will be the most common which just means the person opted in to a form or consented in some way for you to collect their personal information.
- Necessary for performance or prep of a contract with subject
- Necessary for legal obligation compliance
- Necessary to protect vital interests when consent isn’t possible
- Necessary for performance of public interest task or exercise of vested official authority
- Necessary for purpose of legitimate interests
For those who collect Sensitive Personal Information (which are things like sexual orientation, religious/philosophical views, health data, political views, genetic data, etc..) you must comply with the same 6 privacy principals listed for those who collect personal information, as well as satisfy at least one of the following processing conditions:
- Have explicit consent of subject, unless reliance on consent is prohibited by EU/Member State law
- Necessary for fulfilling obligations under employment, social security, social protection law or collective agreement
- Necessary to protect vital interests when consent isn’t possible
- Processing is carried out by not-for-profit for members/former members and there is no third party disclosure
- Data is made public by subject
- Necessary for legal claims or courts
- Necessary for reasons of substantial public interest under law, with safeguard measures in place
- Necessary for medical purposes on the basis of law or contract
- Necessary for public health interests such as cross-border threats
- Necessary for archiving purposes in public interest, science or research
If you collect personal information or Sensitive Personal Information, you are required to do a Data Protection Impact Assessment
You’ll also have to implement Privacy by Design (PbD)
And respect the 8 rights of users:
- To be informed– Provide transparent information about data processing
- Of access– Let individuals access any data you’ve processed from them
- Of rectification– Let individuals rectify incomplete or inaccurate data
- To erasure– Individuals can request you delete their data
- To restrict processing– Individuals can block the processing of their data
- To data portability– Individuals can reuse their data for other services
- To object– Individuals can object to the processing of their data
- In relation to automation– Individuals are protected from automated decision-making processes
Those are the overall things most of you reading this will have to comply with, but for larger companies and those who collect large amounts of data, there is a lot more involved.
Part 1 of 4 (rest coming soon)