Have you been receiving a steady flow of emails from established businesses like Google, LinkedIn and PayPal asking you to re-subscribe to their email newsletters and accept their new Privacy Policies? Do you know if it affects your business, and if so what you should do about it?

Well – if you are a business of any size and you hold data about any EU citizens (Brexit or no Brexit) then it does affect you, and it is pretty critical to make steps towards becoming compliant (or else..!).

The reason we are getting these emails more frequently is the advent of the new European data privacy legislation – the GDPR (or the ‘General Data Protection Regulation’) that comes into effect on the 25th of May this year. While there is a lot of information about this online (most notably on the Information Commissioner’s Office website https://ico.org.uk/), I thought I’d cover a couple of crucial questions that I’ve asked and have had asked of me, in regards to what action to take, as small businesses, with websites, about this impending deadline.

First though, what is GDPR?

GDPR is the ‘General Data Protection Regulation’, that comes into effect on the 25th May 2018 (yes, I’ve said that already) and has been built around 2 main principles, being: –

(1) to give EU citizens more control over the data that is held about them; and
(2) simplifying regulations across international borders (so as businesses we all know where we stand).

The GDPR updates the current Data Protection Act (DPA) of 1998 (https://www.legislation.gov.uk/ukpga/1998/29/contents) and its governance applies to all businesses that processes the personal data of EU citizens (I’ve said that already too, I know, but it is important… especially as this applies to ALL businesses, no matter how big or small).

What are the penalties for GDPR non-compliance and how would you be ‘found out’?

Officially the financial penalty is up to 20 million EURO or 4% of annual turnover, whichever is the greatest (that would certainly clear me out of my petty cash). It’s fairly clear that small businesses are unlikely to be fined this sort of amount(!) however even a comparatively small fine could critically damage a small business.

You may ask yourself “well if I don’t comply how will the ICO ever find out – I’m just one of many small businesses?”. One of the fundamental differences about the GDPR compared to the DPA is that the power is in the people’s hands – so if for instance you have an EU citizen’s data and you use it when they have not given you express permission to do so then they can complain to the ICO, and then the ICO will investigate and take proceedings as they see fit.

An example real-life scenario of how things might go wrong if you do nothing about GDPR

Here’s how events may transpire if you were to do nothing about GDPR in a real(ish) world situation (and this is just one of many possible scenarios): –

1. You have John Smith’s name and email address (and perhaps other information). Perhaps Mr Smith used to be a customer, or an employee, perhaps he signed up for your email newsletter, or perhaps you got his information through a contact database you purchased.
2. You do nothing between now and the 25th May and then you send out an email to him (using your snazzy email marketing system for example). Mr Smith receives the email and asks you to unsubscribe him from your email database but you don’t (or you do but you don’t have a process in place to do this properly and he’s on another list of yours elsewhere) and you deliberately or accidentally send out another email to him. Mr Smith complains to the ICO.
3. The ICO then will have good reason and the power to investigate and check why you did not comply with Mr Smith’s request, and they will more than likely check to see that you comply with the GDPR in other areas. This may include you proving that you have: –
   1. A process in place to identify all data you hold about Mr Smith (and all other EU citizens);
   2. A process in place to show all the data you hold about Mr Smith to him;
   3. A process in place to remove all data associated with Mr Smith, should he so request, without any cost to Mr Smith;
   4. A process in place to show evidence that any data you hold about Mr Smith is held and transferred securely;
   5. A process in place to show you are legally permitted to hold data about Mr Smith;
   6. A process in place to show details of the policy you have regarding how long you keep Mr Smith’s data for, and what you do when that period expires.
   7. If required, that you employ a Data Protection Officer (you would need to do this if you held enough data that is considered sensitive such as health or religious information).
   8. And more….
4. If you can’t show the any or all of above, or the other elements that the GDPR require of you, then you could be in for a really big, small-business-crippling, fine.

An example scenario of how things might go right if you do something about GDPR

Here’s how events may transpire if you were to do something about GDPR in a real(ish) world situation: –

1. You have John Smith’s name and email address (and perhaps other information). Perhaps Mr Smith used to be a customer, or an employee, perhaps he signed up for your email newsletter, or perhaps you got his information through a contact database you purchased.
2. You put into place processes to ensure you comply with the GDPR before the 25th May, including sending Mr Smith an email to ask that he re-subscribes to your email list and reads your new and updated Privacy Policy so that he knows exactly what rights he as to the data you hold about him.
3. Mr Smith loves the fact that you care about him and the data you hold about him, and re-subscribes to your email list.
4. You send out an email to him (using your snazzy email marketing system for example) and Mr Smith reads it, and trusts your business enough to, perhaps, become or continue being a customer of yours into the future.
   The ICO doesn’t bat an eyelid, and you continue running your fabulous business!

So – if you’ve not done anything about it, what should you do?

Below is a very basic overview of some of the steps you could take to start the process rolling: –

• Audit your current data – what is it, what do you do with it, how long do you keep it for, how did you get it, do you transfer it across international borders? Create clear documentation that details all of this.
• Assess if you have a legal right to control or process the data you do, or if you need consent. If you need consent, you more than likely need to re-request this with transparent and clear detail of how you use the data.
• Assess how secure the data that you control is on your, or a third parties system. If there are possible security holes, seal them up. These can include how you collect, hold, store, process or transport data.
• Consider what possibility would there be for a breach of the data you hold and what processes you have to respond were that to occur. Document your processes.
• If a user requests to see the data you hold about them, asses whether you have a process in place that allows them to see it without cost to them (and a minimal cost to you).
• Check to see that your suppliers are GDPR compliant. If they are not then you may need to change them for suppliers that are.
• Check to see if your privacy policy is up to date with the GDPR. If not then it needs to be updated (and separated from your Terms and Conditions).
• Work out if you need a DPO (Data Protection Officer) – if you hold enough sensitive data then you will need to employ one.
• Are you registered with the ICO under the current DPA? If not, then get registered now.

This is by no means an exhaustive account of what you need to do, but it does give an overview of what you could be considering – please note these are only suggestions and you should consult a GDPR specialist or legal consultant for a more formal process.

If you haven’t done already the best place to start is to read thoroughly the information about GDPR on the ICO website, and if you wish to carry out your own self assessment then you should check out and run through the ICO’s online GDPR checklist.

What you should do about your website to comply?

If like many small businesses you collect data about current or potential customers through your website, then the likelihood is you hold that information on a server somewhere, and there may be security risks when it is collected, stored and used. I’ve written a separate blog post – ‘7 things to do on your website to help you comply with GDPR‘ – to help with this, so do take a look at that. I also provide Website Maintenance Plans and am available to hire – so I am in a great place to assist with your business’s website. Please get in touch with me to discuss these.

Have some pressing GDPR questions or need to speak to a specialist?

Having read a good handful of articles about the GDPR I have some understanding of the basics and would be happy to speak with you, but if you want to talk to an expert then I have some contacts who would love to talk to you. Click over to my contact page and use my details to get in touch and I will pass your details onto a reliable GDPR consultant.