GDPR is rightly everywhere at the moment, we know the deadline date for compliance is looming but are confused as to what we need to do to comply! What does it mean for small business owners? Well, Jude Peppis, from The Typeface Group, has compiled A Beginner's Guide, to get you started...
What is GDPR for businesses?
GDPR for businesses is a massive change for how those who sell goods or services in the EU can use customer or client data. GDPR for businesses encompasses much more than you may think. It’s not just for businesses who send out email campaigns. For example, if you have Google Analytics running on your website (and you should) then you need to ensure that you are compliant, This covers both what you do with that data as well as ensuring that Google, or your chosen software, is also compliant.
The legislation is changing because the digital world around us is changing too. It is the biggest change to data protection legislation for over 25 years and it will push data protection to the
forefront of people’s minds. You need to be compliant to avoid big penalties. This could be as much as $420m (£17.2m) or 4% of the company’s total worldwide annual turnover, whichever is highest. So, now is the time to act to get ready for GDPR for businesses.
What do I need to do now?
There are a number of GDPR for business measures which can be put into place simply, easily and cost-effectively:
Your website needs a straightforward explanation of what data you collect, what you plan to do with that data and how long you are going to store it for. It needs to be jargon-free so all of your website visitors can understand it. It also needs to cover:
What, how and why personal information is collected.
Who are the third parties you share that information with?
What this will mean for the person.
How people can review, request changes, ask for removal or complain about the use of their data.
An SSL certificate A Secure Sockets Layer certificate gives you that nifty little padlock in the browser bar. It demonstrates to your website visitors that you take security seriously as it shows that you encrypt the transmission of data. Google also alerts website visitors that those without an SSL certificate are non-secure. As a business, that’s the last thing you want as it could put off people from clicking through to your site, let alone sharing their precious data with you.
Opt-in or opt-out
GDPR for businesses means that you can no longer assume consent to send marketing communications. You need explicit permission for what people have agreed to. You also need to able to provide this information if you are audited. This includes when and how they gave consent as well as providing the ability to remove their details when requested. You will not longer be allowed to pre-tick that consent box on your online forms, registrations and check out pages. You also can’t presume that because someone has contacted you that they want to be added to your marketing and sales lists. Also, make it easy for your customers to opt out. Have an unsubscribe button, opt-out landing pages and options for unsubscribing offline, such as a phone number, so you tick all of the GDPR boxes.
What do I need to do going forward?
Keep your records up to date. Draw up a database of everyone who has given permission for you to contact them. Log when, where and how they gave you that permission.
Draw up a ‘do not contact’ list of everyone who has given you their details when, for example, making a purchase, but who does not want to be contacted. Log every unsubscribe request on this list and stick to it religiously.
Your company’s data controllers and processors also need to keep track of how GDPR for businesses is being put into practice. Data processing policies and principles need to be drawn up and followed at all times. Keep records up to date and be ready, willing and able to share them at the touch of a button.
Audit any software, hosting company or partner who holds any of your data. This goes much further than your customers so also consider your employees and your company’s data. For example, if you outsource payroll, are they GDPR compliant? If you use ‘the cloud’, are working in line with GDPR for businesses? What about your website hosts? There is a lot to think about. You need to prove you have done your due diligence to keep all data as safe as possible to prevent having to take half of the blame for a data breach.
Where can I find more information?
Have a look for the events or webinars that are being hosted in the run up to when the law comes into force in May. There’s also a report on GDPR for businesses available to download here. You can also join The Typeface Group who are partnering up with Matthew Lea from Herrington Carmichael for a Facebook Live Q&A with Women Who Do on 21st March, from 1pm-2pm. Simply register here: https://www.womenwd.co.uk/events/gdpr-live-q-a-session
About the Author:
Jude Peppis is a Senior Communications Executive for The Typeface Group, a Hampshire-based marketing and communications agency.
The company is spearheaded by Polly Buckland and Natalie Weaving, SME owners and mums.