Understanding the implications of GDPR for small businesses

There’s been a lot of hoo-ha about the forthcoming General Data Protection Regulation though not all of it accurate. John Paterson, CEO at Really Simple Systems CRM, looks at the facts and provides practical tips for small business owners, CRM users and administrators:

The General Data Protection Regulation (GDPR) is due to come into force on 25th May 2018. It’s designed to protect the privacy of EC citizens, ensure their personal data is not exported outside the EU and give them control of how the data is used.

Although the right to privacy from government surveillance has been included previously in legislation, the advent of the Internet has meant large corporations are also able to conduct, what is in effect, mass surveillance. GDPR effectively exports the European notion of the right to privacy to any business that collects personal data on EC citizens, backed up by stiff penalties for non-compliance.

What GDPR entails for small business owners

Consent

From 25th May 2018 organizations, regardless of which country they are based in, will need to have explicit consent from any EU citizens before they can send them marketing emails or SMS messages. This means no more pre-ticked acceptance boxes; it has to be an unticked checkbox informing what will happen if you do tick it. Alternatively, you’ll need a double opt-in via a confirmation email where the person clicks a link to consent.

You’ll also need to be able to record how and when consent was given to provide proof should the regulatory body (in the UK this the Information Commissioner’s Office) receive a complaint.

Data breaches

Under the regulation you have just 72 hours to report any data breaches to the supervising authority. You should then inform the data subjects of the breach “without undue delay”, the timing dependent upon the likely risk of damage to that individual.

Guide: seven steps to CRM implementation success

Fines and sanctions

The maximum fine for a breach has been stated as €20 million or up to 4% of global revenues, whichever is higher. In practice, the regulatory body is not likely to do anything if just one person complains, other than maybe sending a warning letter. The penalties are there for companies that flagrantly and repeatedly abuse GDPR.

Right to erasure

Individuals can request that the data you hold on them is erased. There are some exemptions to this but in practice for most businesses you will have to comply. You must comply without delay, and certainly within one month.

Data portability

Individuals can request a copy of the data you hold on them. This applies to data they have given you and would also include stored emails from them, and their purchasing and payment history.

Data protection

If you hold personal data then you have a duty of care over the safeguarding of that data. This includes restricting access to only those who need access to do their jobs, making sure that the data is held securely.

US compliance

One of the biggest areas of interest for business will be whether US organizations seek to become GDPR compliant. With virtually no data privacy laws currently in place, the US takes a very different viewpoint to the EU. It looks likely that if a US company uses European-based data centres that will be sufficient to comply, although US courts are currently seeking to force US companies to hand over locally stored data.

B2B marketing

GDPR draws no distinction between B2B and B2C communications. Another piece of legislation, the new e-Privacy Regulation will replace the existing e-Privacy Directive and is designed to offer clarity for electronic communications, i.e. emails and SMS messages. As GDPR is a Regulation, not a Directive, it will automatically become law across the EC on 25th May 2018. However, each member state will have to enact the legislation to enable e-Privacy. This gives each country some latitude as to the exact wording and could draw a distinction between B2B and B2C.

Our GDPR checklist

• Appoint a Data Processing Officer who should quickly get up to speed with the legislation
• Make a list of all your systems that hold personal data, e.g. your CRM, accounting, HR system, contact databases in email clients like Outlook and any spreadsheets
• Make a list of all your Data Processors, those external systems you use that hold personal data. Make sure they only hold data in the EC and are, or will be, GDPR compliant. If you are in a regulated industry get a certificate or contract warranting compliance
• Start capturing consents from new enquiries now
• Work out how you are going to get consents from contacts in your existing database between now and 25th May 2018
• Draft a procedure for managing breach notifications, for both the regulatory body and the contacts themselves. If a breach happens you won’t have time to consider the best way to do this so have it mapped out in advance
• Review and update the privacy notices and terms and conditions on your web site