And how it’s not that bad for small businesses.
First of all let’s understand why we are being asked to do this large bit or red tape.
To be honest, the Facebook and Cambridge Analytica scandal couldn’t have come at a more opportune time to show why we need to understand the power of data — our own and other people's personal details — and the benefits of setting regulation to keep them safe. Of course no one wants their data to have been used in that scandal, we feel violated… but awakening us all to this new data currency is no bad thing.
The GDPR (General Data Protection Regulation) is a huge piece of legislation — in some clauses new and in others an update of what was there before — and means a lot of work for businesses that do business with any business that keep their data in the EU, and this policy will be transferred to UK law after Brexit.
However, it does understand the need to be less strict on small businesses so here is a guide for Small Business General Data Protection Regulation requirements.
What is personal data?
It takes any form of information related to a person. This could be email, phone, name, age, bank details, medical details, friends, no claims bonus, pet’s name; if it’s personal, it’s personal data.
What lawful basis does you data ‘processing’ sit under
It is important to know and state the lawful basis your data collection and use (ie; processing) sits under and the GDPR gives a clear list.
The lawful bases for processing under the GDPR. At least one of these must apply whenever you process personal data:
(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
(d) Vital interests: the processing is necessary to protect someone’s life.
(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)
As a small business we are most likely dealing with a) Consent and b) Contract so I will talk about those two bases. However if your business has a complex method of processing data then it is worth reading the full details from the Government’s official Information Commission Office (ICO)
Consent will come in most cases from newsletter sign up, where you clearly state what people are signing up for and what they will receive in return from you. Let them know you will not share with 3rd parties, or if you do, what that 3rd party is and why it is beneficial to them.
Contrary to some sources a double opt-in, ie signing-up, receiving an email and then confirming that again, is not obligatory under GDPR.
If you are requesting data via a form (other than one whose sole clear purpose is to collect for a mail list) then it is best practice to have an un-checked ‘opt -n’ box, but again not obligatory if the soft opt-in below applies.
The Soft opt-in
In the past it has been possible to send follow-up and marketing emails to users who have become clients or customers, or who have filled in forms, called or emailed enquiring about becoming clients or buying a product. Under the soft opt-in basis it is still possible to market to these people but be sure it is very easy for them to unsubscribe, such as an unsubscribe link at the bottom of your marketing email.
‘The Soft opt-in wording from the ICO is
Where you've obtained a person's details in the course of a sale or negotiations for a sale of a product or service.
To be completely safe it would be good to have an ‘opt-in’ to our newsletter (un-checked) checkbox at the place of this soft opt-in. However we all know that this doesn’t have such a good conversion rate, so just be sensible and be clear and only send marketing that is directly related to your goods and services.
Sending marketing emails
If you use Mailchimp, Campaign Monitor, Brief your Marker, Hubspot or other industry recognised marketing platforms to store your lists and send out marketing campaigns then chances are they comply to the GDPR regulations. The main points being; make sure your business address is on the email, how the user gave consent ie; ‘you signed up via our mail list sign up on our website’, or ‘you are a client of our business’ and finally a clear unsubscribe link. It is worth checking their GDPR guidelines as well.
The same goes for marketing by phone, text or post, however the unsubscribe is a little harder and the ‘relevance’ especially via phone marketing is especially pertinent.
Small businesses have less to do
If your business is classed as an SME (under 250 staff), there’s no need to have documentation of why personal data is being collected and processed, the information you’re storing or how long for, unless under certain more complex circumstances. To see the full details for small businesses check here https://ico.org.uk/for-organisations/business/
Data Protection Officer (DPO)
Small businesses are not required to appoint a DPO unless under certain large scale circumstances, for details have a glance here.
So what do you have to do as a small business?
Audit your data
Take stock of all personal details you hold (whether collected online or offline) and make sure it is ‘clean’ ie; those people are a customer or client, have sent a genuine enquiry or have signed up to your mail list.
If this is not the case and you need to keep their information then send them an email (using your mail campaign platform) to explain the exciting reasons why they should confirm to keep their data with you.
All other data that you have, only keep what is relevant making sure you can prove a valid reason why you have that data and how it can be removed. You must also think about the data you hold on suppliers and employees again if there is anything you are unsure about then remove or ‘repermission’.
Sensitive (special category) data
If users have ‘accounts’ that saves their payment details make sure it is encrypted with HTTPS and SSL, and if you keep any other sensitive data make sure it is secure, encrypted and relevant. See full details on special category data here.
- State each type of lawful basis your business processes data under
- Document what data you collect and from where
- List how you use it, and by what method you may contact them using it
- If you collect personal data on your site using third-party services? (e.g., Google Analytics, a Form Block connected to MailChimp or Google Drive) document what and why and link to the 3rd party GDPR policy
- If you export data from your website into another system document what and why and link to the 3rd party GDPR policy
- If you share information with a 3rd party state who and why and link to the 3rd party GDPR policy
- Be clear about how a user, client or customer can remove their data via an unsubscribe link
- And finally add clear contact information for them to contact you about any question or removal of data
and to recap
- State your lawful bases
- Audit your data
- Document how and why you process data
- Re-permission any ‘unsure’ details
- Delete any un-required data
- Create clear contact and removal of data points
- Amend your method of data collection and add unchecked opt-in where necessary
I am a freelance UX Consultant, Website Designer, Logo Designer and Graphic Designer based in Woodbridge, Suffolk. Contact me for more information.