GDPR For Small Businesses
How relevant is GDPR for small businesses when there’s just you involved?
Most of my clients tend to be sole traders or employ very few people, often outsourcing much of the work they don’t want to do themselves to Virtual Assistants.
As most of what you read seems to refer to HR Departments and multi national companies, it would be easy to make the assumption that GDPR, the General Data Protection Regulation that comes into effect in May 2018, doesn’t really matter for small businesses.
But you would be so very wrong! And working out what GDPR means for your small business may well increase your stress levels
DID YOU KNOW…
I knew you probably wouldn’t know.
Here’s a very detailed article concerning GDPR for small businesses
Do you collect your visitors email addresses, maybe in return for a download of an e-book?
If either of these 2 simple examples are true then you need to pay attention because YOU NEED TO TAKE ACTION.
And how about this one…
Do you keep your customer contact details (email address, phone numbers) on your mobile phone?
I’m sure you do.
How secure is that data if you lost or had your phone stolen? Unless you have fingerprint or face recognition security on your mobile it might be construed you are not taking the security of your data seriously.
The following video is a good clear introduction and the link above is to a very detailed explanation of the rules and what you particularly need to be aware of.
It’s important I point out right here that I cannot give advice on the subject of GDPR for small businesses and the information and resources I provide here is to help you identify what you need to know and assist in your own research. You may well need to take professional advice as to how GDPR will affect you and your business specifically.
I decided to buy-in the required documentation rather than try to cobble something together myself that wouldn’t be compliant. See here
As a sole trader you will almost certainly fall into both categories of data controller and data processor.
For example, if you are an electrician and you manage your customer details via a contact management app on your phone (particularly where the data is stored in the cloud) you would be the controller and the third party app provider the processor.
But if you kept all of your data on a spreadsheet you’ve created yourself, you will be both the controller and processor.
Getting complicated, huh!
And what about where your website is hosted. Let’s say you use a hosting company in the USA (or a UK company with a data centre in the US) you are effectively passing your clients data to a data processor outside of the EU and it is YOU who are responsible for knowing that they will meet the GDPR requirements.
One of the key responsibilities is as follows:
You must conduct due-diligence on your supply chain (people you use to provide YOU with services) to ensure that all suppliers and contractors are GDPR-compliant.
If they are not, you will be impacted by any breaches and consequent penalties.
You’ll also need to ensure you have the right contract terms in place with those suppliers (which puts important obligations on them, such as the need to notify you promptly if they have a data breach).
As you will understand by now, just thinking that GDPR only impacts big business could be a big mistake. You need to be both aware of the rules and take action to ensure you can demonstrate your compliance.
Here’s a big take away re GDPR for small businesses:
Your website is a huge giveaway.
It is there for anyone in the world to see.
If you are not compliant with the GDPR rules (ie incorrect, or worse, no documentation) then you are in full and very plain view of everyone – your customers and clients, competitors, enforcers and regulators.
There is no hiding place!
What action should you take re GDPR for small businesses and in particular – YOURS?
The first step is definitely to make sure you understand the requirements.
You may need to make some adjustments regarding your use of data and in particular what information you ask for. For instance, do you really need to have details of a customer’s address or age? If you are not going to use that information then you shouldn’t be asking for it.
You need to fully understand what you do with that data and where it goes.
You need to review your contracts (arrangements) with your suppliers to ensure they are compliant.
Think about the security of your electronic data records – what would happen if you lost your laptop or mobile phone?
And you must make sure you are using suitable documentation on your website AND it is displayed appropriately – requests for consent can no longer be hidden in small print but must be presented clearly, and separately to other policies on your website or communications – so no more pre-ticked boxes if you wish to contact customers for marketing purposes for example.