GDPR Compliance for Small Businesses

This is probably the most un-sexy blog post I’m ever going to write. It’s important stuff though, so it needs to be said even if just typing the word “compliance” makes me want to run from the room and dive head first into a bowl of buttercream.

In case you haven’t heard, the EU is instituting new rules with regards to digital privacy, personal information and the storage and sharing of information. It’s called the General Data Protection Regulation, or as I like to refer to it, the “good common sense wrapped in a bunch of long words” policy. Businesses have until May 25 to comply with these regulations, and by “businesses” they are including those who are outside of the EU and who have EU based customers.

So if you’re working in our industry and you teach overt here, or sell online tutorials there, or have ever had an EU customer, this stuff covers you. Chances are you have collected personal information in the course of those activities – names, email addresses and so on. Because the official pages of the GDPR are really confusing and hard to read, a lot of us are super scared about running afoul of the regulations. They did provide a “Preparing for the GDPR” document but not surprisingly, it’s not terribly clear about the actual steps you need to take. You’ll need to read all that official stuff for yourself. The gist of it is, as a small business owner, we are the data controllers of our businesses. As the controllers, there’s some stuff we have to do to make sure we comply.

Here’s how I understood compliance, from the point of view of a small business owner:

  1. You need to be VERY clear what people are signing up for. Define why you need that info from them. So if you’ve got a mailing list of some kind, at the time of sign up, you need to let people know what they are agreeing to get, and how often they will hear from you. You can add this text to the bottom of your pop up, or the bottom of your “contact me” page, or just somewhere obvious in all the places you gather email addresses. “By signing up here you are agreeing to receive a free ebook, our monthly newsletter, and emails about our products and sales.”
  2. You need to have a privacy policy in place, and published on your website or places you do business online. This tells them what the information they may provide will be used for, and if you’ll share it. Here’s mine. I originally used a template I got on an Australian government site then modified it to comply with GDPR (see point #3 and #4).
  3. Your privacy policy now needs to meet GDPR requirements, which includes things like how users can ask for their information and how you will be providing it to them. Currently they should be able to ask for it anyway.  Under GDPR rules you’ve got 30 days to respond to that request and let them know how/when the info will be provided.
  4. For those of you with online learning options (video classes etc) – it’s important to note that users can ask that their information be totally removed from your system. BUT, let them know that along with that request, they will lose access to online stuff they bought because duh, to login to online classes, you will need info to provide info like an email address.  Anyone can ask for you to remove their information totally, but it will affect those purchasers most and they need to know that.
  5. Follow the digital info trail – as a business, you really need to be aware of the flow of information. So how do you now gather data, where do you store it, where do you put it once you’re done with it etc. If you use any 3rd parties (Dropbox, PayPal, Mailchimp etc!) all those guys need to be GDPR compliant too, so check with them and find out what they are doing about it. You need to know how you get info and where you store it so that if people ask for their info, you can easily provide it. If they ask you to delete it, you can easily find and remove it.
  6. You can contact all the people on your list currently and get them to re opt-in to your list – this way you know everyone who is signed up is really there because they want to be there. Honestly, this kind of list cleaning is something you should do every once in a while anyway. No point in sending emails to people who don’t want them.
Here’s a link to a really simple, 3 minute video about it: https://www.youtube.com/watch?v=6fITStJ-4Es
Here’s a link to Infusionsoft presentation about this : https://drive.google.com/open?id=14Dq-Go_RM2FMs1spO9tIfgQJNkt9B0tj
I’m not the all seeing all-knowing swami about this, but the above is what I’ve come to understand after reading the boring but important official documents, reading some simplified versions, asking a UK based digital business strategist, and watching some webinars on the topic. If you’ve got more or different info, please leave a comment on this post so the rest of us can enjoy (or be tortured) by it.
And now back o the fun stuff….

Leave a Reply

Your email address will not be published. Required fields are marked *