GDPR action points for small businesses
As a small business owner, being able to keep up to date with the latest developments in, well, just about every aspect of technology, business, specific industry changes and of course compliance may leave you feeling overwhelmed and unprepared. You’re not gonna like what we say next! The European General Data Protection Regulation (GDPR) is not just coming, consider it here. You must take action now so that your business is compliant with new regulations for secure collection, storage and use of personal information. You may have already marked May 25th, 2018 on your calendar and put it out of your mind, thinking you’ll deal with it then. Follow these GDPR action points for small businesses and make a start now.
We’ve been educating ourselves, attending events, reading guides, researching online so that we can put a plan of action in place for Shake It Up Creative. We hope our efforts help you as well. The first thing is to understand what the GDPR is and how it will affect you. The main aims of the GDPR are to give the general public control of their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. Even companies with fewer than 250 employees (like us, for example) won’t have to employ a Data Protection Officer (DPO) but will still need to comply if they deal regularly with personal data. If you send out e-newsletters and process customer and supplier details, then GDPR will apply to your small business. Non-compliance can result in being fined by the Information Commissioner’s Office (ICO) up to €20 million or 4% of annual worldwide turnover, whichever is bigger and against both data controllers and data processors.
Now confusion may set in for small businesses on whether the GDPR will actually affect them or not because under Article 30 of the regulation, it does declare that “organisations with fewer than 250 employees will not be bound by GDPR unless the processes the organisation carries out are likely to pose a risk to the rights and freedoms of their data subjects”. It is their way of recognising that small businesses require different treatment to larger ones. You must consider how often you will be handling the personal data of your clients, employees and suppliers. If data processing is going to be a regular part of business procedures, then being GDPR compliant is important and the rules will still apply to you and your small business.
What we feel is most relevant to small business owners like us when preparing for GDPR is consent; how to get it, how to keep it, what to do when it is revoked and is it the only way to comply with the GDPR?
- Consent must be unambiguous and freely given
- Requests for consent must be easily understood, accessible and in clear, plain language
- They must be made aware of the name of your business/organisation and any 3rd parties that will process the personal data.
- Third parties must be named, you cannot use a blanket statement for all of your third party access.
- Consent only applies to the purpose for which it has been obtained. For example, if you obtain consent to use personal data for a specific project you must obtain further, separate consent if you wish to use it for marketing purposes.
- Simply putting a tick box to opt-out is not good enough any more. You will need explicit consent.
- Pre-ticked opt-in boxes are not indications of valid consent.
- Consent for multiple purposes needs tick boxes for each activity. Blanket consent is not enough.
- You must make it easy for people to exercise their right to withdraw consent and use clear, plain language when explaining consent.
- Make sure any consent you’ve already got meets the standards of the GDPR. If not, you’ll have to refresh it.
- Evidence consent. Keep a record of the manner in which consent was obtained; the purposes for processing personal data; descriptions of the categories of data subjects and of personal data; and if, how and when consent has subsequently been revoked.
- Allow consent to be withdrawn at any time.
- Consent needs to be refreshed every 2 years.
- Consent is one way to comply with the GDPR, but there are also other ways (it’s not the only way) ‘Legitimate interests’ is one of them.
- You do not need explicit consent to send a mailer, letter, brochure or catalogue but you do need to make it clear how they stop getting future mailings and you do need to ensure that the content is relevant.
Are you feeling overwhelmed yet? Sighing deeply into your coffee cup? We are too. So where should you start? Here are our GDPR action points for small businesses:
- Put ensuring GDPR compliance on your agenda and create a plan of action with timelines.
- Start now, don’t wait until May 2018 as there is a lot to consider.
- Carry out a data audit – understand the data you hold, analyse and determine its lawful purposes.
- Audit your contracts and your subcontractor contracts.
- Ensure you do not process data without explicit consent.
- Document evidence of consent.
- Appoint someone to act as DPO and/or handle the GDPR, even if you are a small business with fewer than 10 employees.
- Make sure your website is secure – we can help with this part!
- Put a cyber security strategy in place with a written procedure.
- Create an ‘opt-out’ landing page for direct mail so that you are offering a clear way of opting out.
- Put a procedure in place for a data breach.
- Start and keep a ‘do not contact’ list.
- Get help if you need it. More guidance is continually being published by the ICO on a regular basis.
- Remember, GDPR compliance will be an ongoing task which will require regular monitoring.
Over the next few months, we’ll be following this list of action points and you’ll be hearing from us whilst we go through to review and update, where necessary, internal processes, website landing pages, forms and documents to ensure we are GDPR compliant.
Help and support:
ICO GDPR Helpline
Key compliance points for data processors under the GDPR
GDPR Myths by Information Commissioner Elizabeth Denham
Article 29 Working Party
Mailchimp – Getting ready for the GDPR
The GDPR Race Is On by Irwin Mitchell
Essential Guide to the General Data Protection Regulation (GDPR) for Marketers