GDPR for Small Businesses

What is GDPR?
The new General Data Protection Regulation (GDPR) policy is an important change in data privacy regulation that grants internet users who are citizens of European Union countries new privacy rights. It requires companies that do business in the EU and that have EU customers follow new rules on how they use and store user data and for what purposes.

It addresses how companies inform individual users about their personal data gathered and requires that companies honor requests by EU-based users that their personal data not be collected or that it be erased.

GDPR laws are based on guidelines from the World Wide Web Consortium (W3C), which is an internal internet standards organization devoted to pushing the internet forward with guiding principles and best practices.

But, I Don’t Do Business In the EU!

Even companies not based in the EU with customers in Europe must comply with GDPR. These laws are applicable for any business that works in, recruits from or advertises in the EU. And there are penalties for non-compliance.

Even if these laws do not apply to you, they uphold a core value among consumers everywhere – privacy matters. Establishing that trust and transparency with consumers about your data collection policy is valuable and will probably be required in the US (we hope) in a few years. Recently, California passed its own data collection policy that will take effect in 2020, and other states are following suite.

How To Comply to GDPR

You’ll notice many GDPR-compliant businesses have a website banner or a popup informing visitors of their data collection policy. These banners include an option to accept or decline the cookie policy and have a link to the privacy policy for those how want to learn more.

Beyond informing your website visitors of your data collection policy, there are a few other important tasks:

  • You must have someone in charge of managing your data retention policy and their contact information should be visible on the website. This manager should also handle requests for removal and be a point of contact if a user has privacy questions.
  • You should delete old data that you’re no longer using. Email lists, old customer information, and other data that has no value to you should be erased. The consequences if that data falls into the wrong hands isn’t worth any value it may provide in the future.
  • You should take security seriously. Since notifications of breaches are now mandatory under GDPR compliance, don’t be that company that failed to properly secure their customers’ data. Remove past employee access, update passwords, and don’t be afraid to hire out services and support to keep your data secure.

What to Include in Your Privacy Policy

Your privacy policy should contain most of the information visitors need to know about your data collection policy, GDPR compliance and contact information. It should answer these frequently asked questions about data collection:

  • What data does your company hold?
  • Where does your company store the data and how is it secure?
  • How long does your company hold on to data?
  • How is this data used and why?
  • Who has access to this data?
  • Who do you share the data with and why?
  • Who should I contact if I want to edit/delete data?
  • What can I do to opt out of data collection?

We get it. GDPR sounds boring and is a little esoteric. When coming up with proper customer-facing compliance language, use playful language and say it how it is, not how lawyers want it to be said. Avoid legal jargon (GDPR prohibits it) and use clear and concise language. This is your chance to stay on-brand in the fine print and consumers will appreciate that.

Need a Hand?

Here at PointA, we take privacy and security seriously. Whether you need help with a GDPR audit, launching a new website or business that must be GDPR compliant, or just have a few questions, feel free to reach out.

Subscribe to Our Blog

Subscribe to the PointA blog for more information. We'll send you newsletters, blog posts, tips and so much more from time to time.