GDPR for Small Businesses
What is GDPR?
The new General Data Protection Regulation (GDPR) policy is an important change in data privacy regulation that grants internet users who are citizens of European Union countries new privacy rights. It requires companies that do business in the EU and that have EU customers follow new rules on how they use and store user data and for what purposes.
It addresses how companies inform individual users about their personal data gathered and requires that companies honor requests by EU-based users that their personal data not be collected or that it be erased.
GDPR laws are based on guidelines from the World Wide Web Consortium (W3C), which is an internal internet standards organization devoted to pushing the internet forward with guiding principles and best practices.
But, I Don’t Do Business In the EU!
Even companies not based in the EU with customers in Europe must comply with GDPR. These laws are applicable for any business that works in, recruits from or advertises in the EU. And there are penalties for non-compliance.
Even if these laws do not apply to you, they uphold a core value among consumers everywhere – privacy matters. Establishing that trust and transparency with consumers about your data collection policy is valuable and will probably be required in the US (we hope) in a few years. Recently, California passed its own data collection policy that will take effect in 2020, and other states are following suite.
How To Comply to GDPR
Beyond informing your website visitors of your data collection policy, there are a few other important tasks:
- You must have someone in charge of managing your data retention policy and their contact information should be visible on the website. This manager should also handle requests for removal and be a point of contact if a user has privacy questions.
- You should delete old data that you’re no longer using. Email lists, old customer information, and other data that has no value to you should be erased. The consequences if that data falls into the wrong hands isn’t worth any value it may provide in the future.
- You should take security seriously. Since notifications of breaches are now mandatory under GDPR compliance, don’t be that company that failed to properly secure their customers’ data. Remove past employee access, update passwords, and don’t be afraid to hire out services and support to keep your data secure.
- What data does your company hold?
- Where does your company store the data and how is it secure?
- How long does your company hold on to data?
- How is this data used and why?
- Who has access to this data?
- Who do you share the data with and why?
- Who should I contact if I want to edit/delete data?
- What can I do to opt out of data collection?
We get it. GDPR sounds boring and is a little esoteric. When coming up with proper customer-facing compliance language, use playful language and say it how it is, not how lawyers want it to be said. Avoid legal jargon (GDPR prohibits it) and use clear and concise language. This is your chance to stay on-brand in the fine print and consumers will appreciate that.
Need a Hand?
Here at PointA, we take privacy and security seriously. Whether you need help with a GDPR audit, launching a new website or business that must be GDPR compliant, or just have a few questions, feel free to reach out.
Subscribe to Our Blog
Subscribe to the PointA blog for more information. We'll send you newsletters, blog posts, tips and so much more from time to time.