The basis of the new regulations are simply an attempt to give back control of personally identifiable information back to the people who own that data. Namely, US and not the company borrowing that data.
There seems to be a will to enforce GDPR that far exceeds any effort to regulate personal data before. So, whilst you may share the viewpoint above that this is a large deal about nothing. We cannot afford to take it lightly.
In this post I’m going to try and take on the task of demystifying what regulation is and how it applies to small businesses and more importantly their websites in the UK.
[Legal disclaimer] – Please note: any information in this article does not represent legal advise, nor should it be interpreted as such. Please seek qualified legal advice for implementation of the GDPR into your business. We are not experts in GDPR, nor do we claim to be.
Now that the tedious disclaimer is out of the way; here goes…
Why are small businesses having such a hard time understanding GDPR?
The trouble with the GDPR regulation and with most EU legislation is that whilst it’s very well intentioned, it’s also typically bureaucratic in its delivery and not easy to digest for the likes of the small business owner (certainly those without a large legal team). In fact one of the main reasons that the GDPR has come into existence is combat the large American corporations who collect our data to sell to the highest bidder. So, it’s design has not really been engineered towards smaller businesses at all.
It’s really no small wonder that small business owners are having a hard time digesting the contents of the regulation. As smaller business owners we feel estranged from the big legal wheels that make the EU laws, especially when those laws then cost us more time for seemingly little reward.
Before it’s even launched, the GDPR carries the stigma of being covered in layers of dust. Many small business owners carry the belief that it’s behind the times and unnecessarily complex. It’s just hard work for small business leaders to decipher it. The perception is that the governance has been delivered by old people in dusty tweed jackets! Now, whether that perception is accurate or not is another matter. The fact is it exists and the inability of those who have created the rules to distill down the legislation to help small businesses deal with its demands is typical and concerning. It has led to a lack of trust in the intent behind the forthcoming regulations before they are even implemented.
I apologise to old dusty tweed jacket wearing people who may be offended by this blog post, especially if you keep reading on 🙂
So, what is GDPR and why do we need it?
The forerunner to the GDPR was the DPD (Data Protection Directive). The DPD has actually been around since 1995. However, it’s been about as effective as a chocolate tea-cosy hasn’t it? It’s intention (as with the newer GDPR) has been to protect our data and fat lot of good that’s been so far.
I suspect we have all been victims of data breaches at some point or other over the past 10 years. In fact there isn’t a week that goes by without another major software provider being breached. Every time our personal information is caught up in one of these data breaches we run far greater risk of then also being victims of fraud, identity theft and blackmail. Previously, even with the DPD in place, there is nothing to really stop the continual abuse of our data by large corporations whose main interest is in their shareholders and profit. Every time personally identifiable information is leaked more and more people suffer from fraud and identify theft. The consequences of this have often led to suicide by those who feel as though their life is not worth living any longer. Whilst the last point is an extreme, it is clear that something needed to be done.
The GDPR is attempting to put all of the failings of the DPD right and is expected to be far more effective. Cutting a long story short, it is going to be far more consistently applied (it is going to be uniform regulation that spans across the EU rather than being up to each of the individual members to interpret it). It will be farther reaching, cover more eventualities, carry more protection for individuals and also carry far larger penalties for those parties who ignore it. Critically, there also seems to be the will to enforce it!
The GDPR is also attempting to provide governance around ‘personally identifiable information’. Under GDPR ’personal data’ is considered to be any information that could identify an individual. It also applies to all businesses, both large and small.
But will the GDPR actually affect my small business?
The simple answer is almost definitely, YES.
If you run a small business in the UK or somewhere else in the EU, or you crucially are targeting EU based citizens or businesses (you could be anywhere in the world in this case) you are going to be affected by the GDPR and will need to abide by its rules. END.
The above is abrupt and simple. This isn’t just because fingers are sore from typing and I’m losing the will to live. Essentially, if you’re doing business in the EU you are subject to its laws and that includes the GDPR. In particular, if you are collecting any personally identifiable information you must comply. Failing to do so will at the very least result in hugely damaged trust in your business and brand by your customers. Worse you should be fined according to the laws.
But, what about Brexit?
Haha! You don’t get out of it that easily! If you’re a business in the UK you’re still subject to the EU regulations and even with Brexit looming somewhere in the near future, you are likely to be for some years to come. So, you can’t get off the hook that way!
Whilst the bureaucrats within the UK may at some point be beavering away with their quills and scrolls we will have to comply to the already existing (at that point) GDPR.
In fact many schools of thought suggest that post-brexit will see EU regulations enforced far into the future. It takes time to create new regulations and even if the will existed to do this within the UK, the expense alone will ensure that any new GDPR centric rulings will take many, many years to write and enforce.
Okay, but I’m not sure I collect personal data
What’s that you say? You don’t think you gather personal data? Well, for a start, if you don’t, you are a fool and not running your business effectively 🙂 Seriously, I have not come across a business in over 20 years who doesn’t collect personal information. However, the regulation isn’t really about personal data. That’s a myth, it’s about personally identifiable information. That is information such as:
- personal names
- personal or identifiable email addresses
- location data or IP addresses
- medical or other sensitive data
Still not sure? Well, do you have a website form that asks for name and email address? Yes? That’s personal data numpty! You had better be careful in how you retain that information or some dusty boring people in tweed jackets might be after you very soon!
The general principles of the GDPR will put the emphasis on businesses to be responsible for the personal data that they gather. There is also a paradigm shift under GDPR around the concept that the rightful owner of any personal data is the person to whom it belongs. That last point is really significant and seemingly blatantly obvious. However, to this point it has never been articulated in a regulation, nor enforced.
But isn’t it more complex than being about personally identifiable data?
Well, no actually, it’s not. The entire regulation is by-and-large centred around this one label of ‘personally identifiable data’. The resulting regulation carries a lot of complexity on exactly how this is enforced, but, the principles are In fact very simple.
If we were to quickly distill down the main points of the GDPR, it would probably be something like the following:
- Be honest and transparent about how you collect and record any personal data in your business
- Do not use personally identifiable information for anything other than the reason the person originally gave you their data.
- Do not give out that personal data to anyone else without permission from the data subject (the individual whose data it belongs to)
- Be specific about the consent you get from people over how you’re going to use their information. In other words DO NOT capture information via a website contact form and then drop that poor person into your spammy newsletter system that spews out dross every 3 days! Yes, I have seen that particular scenario all too often. Get clear consent from the individual before you thrown them into that email bucket when they’ve simply just contacted you from your website form.
- Never hold onto the data for longer than absolutely necessary. Exactly how long that is, you can determine to some degree, but you must be able to demonstrate your reasoning on this if you hold onto data for more than 12 months.
- You do not ‘own’ the data, the individual who gave it to you does.
- In relation to the above you will also need to provide contact information or ways in which an individual can request to see the personal data that you hold on them or to have it removed completely (right to be forgotten).
- Another critical change with the GDPR is that you as a business are responsible for the personally identifiable data you provide to third-parties! This means that if you use a bulk email service such as Mailchimp. It is your responsibility to ensure that this service is compliant with GDPR before you use it. Therefore, In turn it will then be your responsibility to inform any individuals if you are aware of data breaches effecting their data through that third-party.
The above cover the spirit of the regulation and a nod towards its implementation for small businesses.
So what exactly does the GDPR require me to do?
It’s very difficult for anyone to break the regulation down and suggest a blanked approach that works for all businesses. Every business is different and collects personal information in different ways. Thus, each business will need to approach the GDPR on its own terms.
However, there are some general steps that you can take to ensure you cover all of the major aspects in compliance. We have a short list below that you could follow as a process. It is geared towards ensuring your website specifically complies with GDPR, but could also be extended across other data collection aspects of your business too.
This is a simple (yes, it really is in comparison to others out there) process to help you comply with GDPR:
- Identify whether the GDPR applies to you
- Make sure you’re doing everything in your power to protect the data that you store
- Make it clear how you handle personally identifiable information within your business
- Appoint someone to be the DPO (Data Protection Officer) within your business
- Get clear consent to retain or reuse any data you collect
- Provide a method for people to request removal of their data from your storage
- Comply to any requests for people to see the data you have on them within 3 working days
- Sign up to the ICO (this step is optional) if you haven’t already
How does the above break down on a typical website? How can you make sure that your website complies? Well, let’s break each of the above steps down:
#1: Identify whether the GDPR applies to you and your business website
If it’s not already been made clear already, let’s just say that if you’re reading this and you are part of a business, it applies to you.
If your business does not operate in an EU area and you to not target people from the EU you probably aren’t subject to the GDPR.
#2: Make sure you’re doing everything in your power to protect the data that you store via the website
If you have contact forms on your website, the simplest way to be compliant is to make sure that your website is running behind an SSL certificate. This will ensure that all data input on your website is encrypted and very hard to steal.
However, just SSL is not enough. Your SSL should be modern and use TLS 1.2 to encrypt its data. This is just to say that not all (older) SSL methods are that secure any more. I know that this is a sticky point and one that’s likely to leave unanswered questions. If you’re not sure on this point, please consult with your web company.
My advice is to have SSL installed on your website as it is also a crucial Google ranking factor as well as a trust indicator for your audience too. Please see our blog post on SSL to learn more on this.
#3 Make it clear how you handle personally identifiable information within your business
If you are using services such as Google Analytics to track user information, or, Facebook pixels you really should have a cookie notice. In fact even if you are housing social sharing buttons on your website, you should have a cookie notice and one that allows visitors to opt-out.
#4 Appoint someone to be a Data Protection Officer within your business (this may be optional)
We do recommend that you appoint a DPO if you are anything larger than a one person business. There is some debate over this, however, we recommend erring on the safe side.
According to the ICO’s website:
Under the GDPR, you must appoint a DPO if:
- you are a public authority (except for courts acting in their judicial capacity);
- your core activities require large scale, regular and systematic monitoring of individuals (for example, online behaviour tracking); or
- your core activities consist of large scale processing of special categories of data or data relating to criminal convictions and offences.
As we can see this covers public authorities and businesses large and small who collect significant volumes of data. Exactly what constitutes ‘large volumes’ of data is anyones guess. However, we would recommend virtually every business collecting names and email addresses for mailing lists appoint / nominate a DPO. As of yet, we just don’t know how this part of the regulation is going to be enforced.
#5 Get clear consent to retain or reuse any data you collect from the website
This is more specifically oriented towards any data capture forms you may have on your website.
Do you run forms on your website? If not, this doesn’t apply to your website. If you do (and most sensible business websites do) you need to identify what you do with that data.
Some questions to ask your self to determine whether you should ask for consent are:
- Do you hold onto that data (their name and email address) in a CRM system indefinitely? If so, you must obtain consent to do so.
- Do you throw their contact details into a newsletter system from a standard web form? If this is a standard contact form intended for the user to get in touch with you, then, you must obtain consent to reuse that data in your mailing system.
- Do you ask for people to sign up for your newsletter system and then contact them outside of that newsletter system? Guess what? If so, you must have consent from them to do this!
Seeing any patterns here yet? Wait! There’s more:
- Do you capture name and email address from a ‘Contact Us’ webform, then find their details online and ring them? Again, you should get their permission (probably via the email address they gave you) to do this.
- Do you have a drip email sequence that you offer as part of a bonus sale (as an example)? Great! Then, do you move them from that drip sequence into a monthly newsletter (a common marketing method)? Well numpty, you now must get consent first.
- Do you have a ‘Request a Callback’ form on your website and then use the information given to email them instead?
Okay, you get the picture. We’re looking at consent, consent, consent. Consent to use their personally identifiable information in any other way than what they specifically gave that information to you for in the first place.
Clear?! I hope so. This is the singularly most abused topic by small business owners and marketers. GDPR is very specific on needing consent for everything.
The solution for a lot of scenarios is to include a simple checkbox on your contact forms to say something like: ‘I consent to my submitted data being collected and stored’. As long as this checkbox is set to be required, the individual cannot complete the form without giving you that consent. Simple!
#6 Provide a method for people to request removal of their data from your storage
Again, in simplest terms this could be the provision of an email address by which people can contact you to make this request. Or, it could be another webform – but be careful not to reuse that data without consent 🙂
#7 Comply to any requests for people to see the data you have on them within 1 month of receipt
The ICO clearly states:
You must act on the subject access request without undue delay and at the latest within one month of receipt.
If you’re storing their data with third-party providers such as Mailchimp, as long as provider complies with the GDPR, you will be able to download any data from there and send it back to the individual making the request.
#8 Sign up to the ICO (this step is optional) if you haven’t already
Whilst this is currently not a requirement for smaller businesses, it is recommended by a lot of people, some who claim to be experts on GDPR, but also by some who really are. I suspect that it also shows willingness to comply to GDPR and will go in your favour if you encounter any disputes.
The ICO is the UK regulatory body responsible for enforcing the GDPR. They have have a self-assessment form here that assists you in determining whether you should register with them. I suspect it’s heavily weighted towards you ‘needing’ to sign up with them as you need to pay a yearly renewable fee of £35 if you’re a business of under 250 employees or turnover least than £25.9 million (if only we we’re over that!).
Resources to help with your GDPR compliance
Below are a sample of helpful resources to help you on your journey into GDPR compliance. The resources are heavily weighted towards UK businesses.
Beware there are a lot of scam artists out there who are seeking to misinform and take money from you to ‘ensure compliance’. I suggest you do your own research and rely in information from the ICO (if you’re a UK business).
Here’s some links that will help you:
Clearly the template below is in need of some of your time spent with it. Make sure you fill in the blanks with the supplied template and personalise it your business specifics.
Here is the template:
Who we are
Our website address is: [your website address]
What personal data we collect and why we collect it
When visitors leave comments on the site we collect the data shown in the comments form, and also the visitor’s IP address and browser user agent string to help spam detection.
If you upload images to the website, you should avoid uploading images with embedded location data (EXIF GPS) included. Visitors to the website can download and extract any location data from images on the website.
If you leave a comment on our site you may opt-in to saving your name, email address and website in cookies. These are for your convenience so that you do not have to fill in your details again when you leave another comment. These cookies will last for one year.
If you have an account and you log in to this site, we will set a temporary cookie to determine if your browser accepts cookies. This cookie contains no personal data and is discarded when you close your browser.
When you log in, we will also set up several cookies to save your login information and your screen display choices. Login cookies last for two days, and screen options cookies last for a year. If you select “Remember Me”, your login will persist for two weeks. If you log out of your account, the login cookies will be removed.
If you edit or publish an article, an additional cookie will be saved in your browser. This cookie includes no personal data and simply indicates the post ID of the article you just edited. It expires after 1 day.
Embedded content from other websites
Articles on this site may include embedded content (e.g. videos, images, articles, etc.). Embedded content from other websites behaves in the exact same way as if the visitor has visited the other website.
Who we share your data with
How long we retain your data
If you leave a comment, the comment and its metadata are retained indefinitely. This is so we can recognise and approve any follow-up comments automatically instead of holding them in a moderation queue.
For users that register on our website (if any), we also store the personal information they provide in their user profile. All users can see, edit, or delete their personal information at any time (except they cannot change their username). Website administrators can also see and edit that information.
What rights you have over your data
If you have an account on this site, or have left comments, you can request to receive an exported file of the personal data we hold about you, including any data you have provided to us. You can also request that we erase any personal data we hold about you. This does not include any data we are obliged to keep for administrative, legal, or security purposes.
Where we send your data
Visitor comments may be checked through an automated spam detection service.
Your contact information
How we protect your data
What data breach procedures we have in place
What third parties we receive data from
What automated decision making and/or profiling we do with user data
Industry regulatory disclosure requirements