What Small Business Owners Need to Know About GDPR Compliance

One of the best things about the Internet is that literally everyone, everywhere can be your client.

That’s exciting! I love looking at my site analytics and seeing which countries light up for visitors, don’t you? But the downside to all this global interconnectedness is that rules and regulations for countries outside of your own often apply to your business. 

What?! Quelle Surpise!

Yup, if clients or customers can access your business outside of your home country, you may be subject to the laws of the client’s home nation. A well-written website terms and conditions statement can certainly help, as would a solid terms and conditions of sale agreement, and a carefully written client agreement. (::cough:: I have templates in my shop for this exact need:: cough::) But, the business document you will want to be most vigilant about updating to reflect the global nature of your clientele is your Website Privacy Policy. 

I’m going to take a moment to give you a friendly reminder that your Website Privacy Policy is also the one legally required document that your website absolutely must have no matter what. I definitely recommend that you have a T&C statement and a disclaimer but the Privacy Policy is the one that could get you into big legal trouble if it isn’t properly included. 

So not only do you NEED to have a Website Privacy Policy but you also need to make sure it complies with the GDPR if there is any chance that you might attract a client or customer from within the European Union. Which, given how awesome your business is, is actually very likely. And the thing is, they don’t even need to buy anything from you for the GDPR to apply. It applies if your site collects, stores, or processes any data from anyone who lives in the European Union. This means that if a client in France signs up for your kickbutt freebie and gives you their name and email address in exchange, your website and privacy policy must comply with the GDPR.

Now before you drop into an overwhelming spiral, pause, take a breath. The good news is that you are likely pretty close to compliance. Okay, panic attack averted? Let’s learn a little more about the GDPR and what it means for you.

GDPR is not alphabet soup but stands for General Data Protection Regulation. The GDPR is intended to be a comprehensive set of data protection laws and was enacted by the European Union (EU) to ensure that individuals have control over their own data. It’s actually a great thing. It came into effect on May 25, 2018. The fines for less severe infractions range from 2% of your revenue up to 10,000,000 euros.

Whatever the purpose of your website, whether you run an online store, offer coaching or consulting services, or are a creative entrepreneur, if your site collects or processes user information like names, email addresses, home addresses, or payment info, in any way, the GDPR applies to you. Even your white-glove, five-star customer service chatbox means that you will need to comply with the GDPR.

The GDPR has seven key principles that will help you understand why it protects your clients.

1. Lawfulness, fairness, and transparency: This three-pronged principle boils down to requiring that you have a valid legal reason for collecting the data (you probably do! In most cases, businesses have valid reasons like providing customer service or analyzing their website performance), that you provide your visitor the opportunity to consent to share their personal info (again, you probably do this because most personal information is shared voluntarily with the visitor knowingly sharing the info), and finally that you clearly explain what types of personal info you site collects and what you do with it. Your Privacy Policy is the ideal place to address these concerns and keep site visitors in the loop.

1. Lawfulness: This is the reason that you are collecting, processing, and storing data. You probably have a ton of reasons for the data you collect which can include customer consent, providing service, maintaining business records, tracking client orders and answering client inquiries, and even tracking data and trends to improve the website visitor experience.

2. Transparency: Be clear and transparent about how you'll use collected data. Provide individuals with information on why you're collecting their data, how long you'll keep it, and who else access might it like a third-party payment processor. Your description doesn’t have to be super specific but should provide a broad view of how you use personal data. Your privacy policy is an ideal place to do this!

3. Consent: If you're relying on consent to process data, it must be freely given, specific, informed, and unambiguous. Individuals must have the option to withdraw consent at any time. For most of your site, it is easy to get consent because the user is voluntarily providing the information and is aware that they are doing so. Again make sure that your privacy policy explains customer consent and also has a process for withdrawing consent such as contacting a customer service email to submit a written request.

2. Purpose Limitations: This principle has a little overlap with lawfulness. You need a valid reason to collect and process personal data. This could be for a contract, legal obligation, vital interests, consent, public task, or legitimate business interests. You have plenty of reasons to collect data that have nothing to do with being nosey. You probably need it to process and track client orders, you might need it to provide service, to analyze your website, or send them the freebie that they requested. Check your privacy policy to make sure you clearly explain why you collect, track, process, and store personal info. It also means that if you want to use data for a new purpose, you need to obtain fresh consent. So if you collected an email address to follow a product order, you can’t just start sending a newsletter unless you give the visitor a chance to consent.

3. Data Minimization: This means that you should collect, process, and store the smallest amount of personal data necessary to fulfill your lawful purpose. So if you need to keep a client’s email address so you can track their order history and answer questions, you should also keep their credit card info because it’s not necessary for your stated purpose. Or if you are using a client’s email address to send newsletters, you probably don’t need the client’s cell phone number.

4. Accuracy: You need to have a system in place to regularly review the data that you collect and store for accuracy.

5. Storage Limitations: This represents the principle that you shouldn’t store data that you don’t need anymore. Your business should set a reasonable duration to maintain data and then take steps to anonymize or delete that data. This is also a good business practice, it makes sense to clear out abandoned email addresses and info from long-ago clients.

6. Accountability: The GDPR knows it is easy to put this all in a privacy policy and forget about it. So this principle requires that you keep records and documentation to support that you are actually following through on how you said that you were handling visitor data.

7. Integrity and Confidentiality: AKA Security. You're responsible for ensuring the security of the data you collect and process. Implement measures to protect it from breaches or unauthorized access and explain what you do in your, you guessed it, privacy policy. 

These are all good things! Good for you and good for your visitors. So are you convinced that the GDPR is not actually the boogie man, but a pretty thoughtful legal protection of individuals? 

Love This Info? Check Out Related Articles:

But, Kerry, how do I get in compliance?! 

Now that you understand, and hopefully, at least sort of agree with, the seven principles guiding the GDPR, here’s what you need to do. Under GDPR, individuals have the right to be informed,  access their data, correct inaccuracies, erase data, data portability, restrict processing, withdraw consent, and object to processing. It's about giving people control over their information. Your privacy policy needs to list the special rights that EU citizens enjoy over their data. You will want to clearly list these rights and also clearly explain how users can request corrections, withdraw consent, or file a complaint with the appropriate jurisdiction. If you take steps to do that and you otherwise operate your business in a professional manner like paying for secure data processing, only using trusted third parties, and regularly communicating with your customers, you should be all set. After all, you don’t want any of your customers’ personal info falling into the wrong hands even if the GDPR doesn’t apply. So the GDPR isn’t this vicious monster waiting to trap you, it’s just good business practice. If you want help making sure that your privacy policy is GDPR (and bonus California Consumer Privacy Act) compliant, scoot on over to my template shop and scoop up my Privacy Policy.

THIS ARTICLE IS NOT A SUBSTITUTE FOR LEGAL ADVICE AND IS OFFERED FOR INFORMATIONAL PURPOSES ONLY. EVERY SITUATION IS UNIQUE AND YOU SHOULD CONSULT A LOCAL ATTORNEY FOR ADVICE ON YOUR PARTICULAR CIRCUMSTANCES.