What is GDPR and what does it mean for small businesses?

If you’re a business owner and you’re not aware of the GDPR, then it’s definitely something you need to get clued up on. GDPR stands for General Data Protection Regulation and it comes into force on 25th May this year. It has major implications for organisations with more than 250 employees, but even sole traders like me need to sit up, take note, and make a few changes in order to comply with the new regulations. Either that, or risk a fine.

What is the GDPR all about?

The first thing to point out is that it is a good thing! It is going to help the likes of you and me to take back control of our personal data. For instance, when you sign up for something, the company  you’re giving your details to can only use your data for the stated purpose, and can’t pass it on or use it for any other purposes. It also means that you have the “right to be forgotten” i.e. you have the right to withdraw consent and the company in question HAS to delete your data.

GDPR is an EU regulation and affects all companies (whether they are inside or outside the EU) that hold and process EU citizen’s data. But if you're UK based, don’t think you can bury your head in the sand and hope that Brexit will mean you can ignore its implications. The digital minister (yes, that really is a position!), Matt Hancock, has confirmed that the UK will replace the 1988 Data protection Act (DPA) with legislation that mirrors the GDPR, post-Brexit.

What is personal data?

GDPR only applies to ‘personal data’ i.e. data that can or could identify an individual. It includes names, email addresses etc, as well as biometric and genetic identifying data. It also includes encrypted data and ‘online identifiers’, such as website cookies.

How will it affect small businesses?

Consent

One of the big concepts of GDPR is around consent. Organisations already need consent to process someone’s data, but until now, they only had to ask once, and could then use the data for multiple purposes. This will no longer be the case, which means organisations have to specify exactly what the data will be used for and then not use it for any other purposes.

So, for example, if you intend to profile someone’s data in order to determine what offers they should receive, you must clearly tell them that is your objective and give them an opportunity to object. Similary, if someone leaves their email address to download a white paper or provides their contact details in order to enter a competition, then you can’t just add their email address to your email newsletter subscription list, as the person didn’t actively agree to that.

On a very positive note, gone will be the days when organisations pre-tick boxes for us. Consent has to be a clear and affirmative opt-in action, freely given with full knowledge of the intended purpose.

Documentation

Another part of the GDPR that will affect small businesses is the requirement to keep a record of these consents. The burden of proof that sufficient consent has been given lies with the company. That means if you are a business owner you will need to prove and show reasonable evidence that you have complied with the GDPR if you are challenged. So, going forward, if you send out email newsletters, you may have to change how you collect and store subscriber’s data. BUT more importantly, GDPR applies to all existing data. If your database includes subscribers whose permissions haven’t been collected according to the GDPR’s standards, or you can’t prove sufficient proof of consent for your contacts, you might not be allowed to send emails to those subscribers anymore.

That’s why you are likely to see many brands and organisations running re-permissioning campaigns before the GDPR comes into effect at the end of May.

Cookie and privacy policies

If you have a website (even just a simple blog site) then you’ll be collecting some kind of information about your visitors – whether it’s through IP data, a sign-up or contact form, or tracking them with analytics or cookies. In which case, according to the Data Protection Act, it is a legal requirement that you already have a privacy policy and a cookie policy. It's most likely these will need updating to be in line with GDPR regulations.  If you don’t have a privacy policy, you risk being sued. If you want to do a bit more research, this might be a good place to start  https://privacypolicies.com (Disclaimer – I’m not necessarily recommending them, I just came across them in my research).

What’s the penalty?

Non-compliance with GDPR could lead to fines of up to 4% of your total turnover or 20 million euros – whichever is higher. It’s pretty clear that the authorities won’t have the bandwidth to go after every organisation that doesn’t comply. They’ll rely heavily on individuals to report violations and I’m pretty sure they’ll focus their efforts on the most serious offenders. But even so, my advice would be to make a few changes to your opt-in processes, cookie and privacy policy statements and how you document/record data. It is good practice and etiquette after all!

My wonderful website company, Sozo, has done a lot of research into the subject, and have been working with legal teams for months, in order to really get to grips with GDPR and it's implications for their website customers. So if you're after more information, then take a look at the myriad of blogs and articles about GDPR on their website.