Every online business knows that data is king. Handled properly, data can be a gold mine for businesses. But if you mismanage your data, your organization could be in a heap of trouble. Today, we’ll look at how to be GDPR compliant and why it’s so crucial for small businesses.
What is GDPR?
Let’s start with the basics. In recent years, lots of new pieces of data legislation have appeared. One of the biggest names is the General Data Protection Regulation (GDPR). Users have become much more wary of their data and how companies use it. GDPR was designed to give people more control over their personal information.
The legislation centers around the issue of consent. Before a business can gather any information about a user, they first need permission. GDPR relates to all personally identifiable information. This includes phone numbers, email addresses, credit card details, and IP addresses.
As well as the collection of data, GDPR also applies to storage. Data must be stored securely and in a way that protects the confidentiality of a user. Information should also be stored for the shortest amount of time possible. Essentially, you shouldn’t hang onto data any longer than you need it.
But what’s the penalty for breaking GDPR? The legislation outlines an eyewatering maximum fine of €20 million, or 4% of an organization’s annual turnover, whichever is higher. It’s important to note that the majority won’t come close to this number. But the severity of the punishment indicates how seriously authorities treat the issue.
And don’t go thinking that you can avoid punishment. So far, there has been at least $1.2 billion worth of fines since January 2021.
Aside from the areas mentioned above, there are other key areas to GDPR. These include:
A right to know and delete
To place more control in the hands of users, people now have two different data rights. The first is the right for a user to know exactly what data a company holds about them. Under GDPR, if you receive a data request, you must respond within one month. You also cannot charge a user for sending data.
The second right is that users now have the ability to request that you delete their data. There’s no flexibility here. If you receive a deletion request, you must delete the data. The only circumstance where this isn’t the case is if data maintenance is necessary for legal reasons.
Data relating to children under 16
When it comes to data that relates to children under the age of 16, user consent isn’t enough. You’ll need authorization from the parents or legal guardians of the child before gathering data.
Customers can opt out of marketing
Customer data is critical for improving your marketing. But don’t think you can use all customer data in your marketing. Customers can request that any data collected about them be excluded from your marketing campaigns. Abiding with customers’ wishes is a vital part of GDPR compliance.
Does GDPR apply to none EU businesses?
Even if your business isn’t from the EU, GDPR still most likely applies to you. If you collect data from users based in the EU, you still need to comply with the legislation. So, if you haven’t already, it’s best to become GDPR compliant as soon as possible.
GDPR best practices
Whilst there are many GDPR-compliant small businesses, the topic is a minefield. As we’ve explained, there are many different aspects to GDPR. Knowing exactly where to start can be difficult.
Luckily this article is here to set you on the right path. Let’s look at some GDPR best practices.
Consider your data
How and why are you collecting data?
Before implementing any processes or procedures, you need to look hard at your data collection. Data-driven companies will have a clear overview of their data. But smaller businesses won’t have gone into such granular detail.
An important part of GDPR compliance is explaining how and why you collect data. Take time to assess all your planned data collection activities and establish a legal framework for each.
When assessing your data, think about the following areas:
Products or services – Do any of your products or services collect data user data? If so, what processes are in place to gather information? How does the information gathered help you?
Customer Contracts – Are customer contracts GDPR compliant? To be GDPR compliant, a contract should clarify the following:
- Why you are processing data
- The duration and purpose of processing.
- The rights and duties of the data controller.
- The format of the data collected.
Data analytics – Your website can be a goldmine of data. How are you collecting data from your website? Do you have systems in place to notify users about data collection (more on this later)?
Is your data secure?
Having a legal foundation for your collection is a vital first step. Next, you need to start thinking about data security. Are there any potential weaknesses in your security? What steps can you take to close the gaps? Do you have an action plan for when a breach does occur? Try to consider a variety of scenarios, no matter how unlikely.
Not only can a breach hurt your customer loyalty, but it can also be a compliance issue. Under GDPR, you must report some types of data breaches to the information commissioner’s office. And you can’t delay; you must report data breaches within 72 hours of the event.
There’s no use in only having people know about GDPR. If an employee deals with any aspect of personal data, they must understand GDPR. Once you’ve educated yourself, be sure to take time to spread awareness amongst your broader organization.
Below are three simple steps that can help you spread GDPR awareness.
- Make information readily available – Outline compliance policies in the documentation. Store these in your document management system to ensure they are always available.
- Always train – Policies are important, but alone not enough to educate employees. If staff are to comply with policies, they first need to understand them. Don’t let the cost of training put you off. Compliance is worth the extra money.
- Outline responsibilities – GDPR means that some internal procedures need to change. This ranges from the way you collect data, to the way you notify customers of any data breaches. New procedures also mean new responsibilities for staff. Make sure that each team member has a clear understanding of their role.
Plan for data deletion
As mentioned earlier, you could receive a data deletion request at any time. If you do, it’s key that you respond as quickly as possible. You’ll need a plan to delete Personally Identifiable Information (PII). The easiest strategy is to remove PII from google analytics (GA).
The process of removing PII can be complicated, but it’s much simpler if you’re using an analytics tool such as GA.
Invest in a cookie management platform
As mentioned, a key pillar of GDPR is consent. You can’t collect information about a website user without them first agreeing. But how can you gain consent? The easiest way is by using a consent management platform (CMP).
While the term might be new to you, CMPs are extremely common. In fact, it’s almost guaranteed that you’ve already seen one in action. When you arrive on a webpage, you’ll get an option to accept or reject cookies. You’ll also get information about how a website is collecting, processing, and storing data.
This automated system is powered by a CMP. Once a user has chosen, cookies behave based on these preferences.
And there is also no shortage of choices when it comes to CMPs. The most popular choice is CookieBot, but there are other options available such as OneTrust and Cookie Control. Each option has its own benefits. Take time to research and choose an option that works for you.
What if I don’t want to use a CMP?
You might find that none of the options properly suit your website. Instead, you need a more custom solution. In this scenario, you could build your own consent system using custom scripts. Be warned, this option is much more technical. You’ll need the help of a professional to do it right. A CMP is usually enough for the needs of a small business.
Make GDPR compliance a top priority
There’s no use avoiding the issue, GDPR is here to stay, and there’s also no denying that the topic of GDPR for small businesses can be a headache. There’s a lot to take in, and any mistakes can be costly. But whilst GDPR compliance is a complicated topic, it doesn’t have to be unmanageable.
Take it step by step. Start by looking at your organization. Answer two fundamental questions ‘What data am I collecting’ and ‘Why am I collecting it?’. From here, you can build wider digital marketing strategies. Plan methods for securing your data, and contingency plans for any breaches. Remember to Invest in a cookie management platform to automate website compliance.
With the right planning and attention, you can consign your GDPR worries to the past.
Guest Author Bio: Will Rice
Will is an SEO & marketing manager at MeasureMinds, a leading SEO, CRO, Google Tag Manager, PPC, and Google Analytics agency. He specializes in SEO and content and has helped enterprises achieve #1 rankings for heavily contested keywords through thoughtful strategy and implementation.