Are you worried about GDPR?
Are you overwhelmed trying to figure out how to make your business compliant?
If your brain hurts like most entrepreneurs struggling to figure out what the heck this is all about, you are not alone.
Your worries are not all in vain because this new legislation is a game-changer that will affect almost every one of us. If not handled properly, it has very serious consequences.
GDPR applies to all businesses that deal with data involving EU citizens. If your business deals with such data, then GDPR is most probably applicable to you, even if you and your business are both based outside the EU.
What’s This New Nightmare All About?
This new four-letter word (“GDPR”) is the European Data Protection Regulation that entered into effect on May 25, 2018.
Since privacy is taken so seriously in this law, fines and sanctions are very severe (up to 20 Million Euros or 4% of annual turnover in major big data cases).
The tips I present here are targeted at entrepreneurs, managers, and small businesses owners. For this reason, I’m not stressing on the severity of GDPR fines because there is no point scaring you in any way.
Yes, there is a storm of hype these days about it, but there is really no need to panic or get frustrated.
Just be sensible about it by taking timely reasonable steps to comply with the GDPR regulations and by following these simple tips offered to you here for free.
That being said, I have to point out that my explanations will not be exhaustive, so don’t just solely count on me, because I can’t cover the wide reach of cases and countries that this law touches in one article.
You need to do your homework and check your local laws or maybe seek professional legal advice from a privacy lawyer licensed in your jurisdiction.
The important thing, though, is not to worry too much about GDPR, but to use it to take positive action towards knowing your clients, maintaining your email list hygiene, being transparent, respecting your stakeholders’ privacy and personal data. Being purposeful, mastering your craft, and doing business with integrity.
Regulators are not out there to get you, neither do they have enough officers to run after every single freelancer, coach, entrepreneur, consultant, or small business owner to check their cookies and freebies.
This law is meant to ensure the transparency of big data processing companies that use our personal, or in some cases sensitive data, in ways we know nothing about for their marketing and other activities.
The GDPR law is meant to protect EU citizens from such companies exploiting their privacy and personal data without their prior approval or knowledge.
You can best benefit from the GDPR by thinking about it as an ongoing project, challenge, an opportunity to improve the quality of your lists, their regular maintenance, and to know your clients better.
This will, in turn, improve the quality of your work, performance, competitiveness, email deliverability rates, conversion, traction, sales, and overall profitability.
I’ll take it easy on you to start with and will post more detailed information throughout 2018, so stay tuned for my upcoming blog and GDPR course posts!
Here are my two cents in three simple tips anyone can easily implement regardless where they are geographically located in the world. Following these tips will help you mitigate GDPR risk exposure to a large extent.
Having a cybersecurity insurance covering GDPR is recommended in all cases. Appointing a data representative in the EU is also good practice.
The good news is that all this should not cost you more than a couple of hundred dollars. Don’t overspend on lawyers, IT professionals or representatives either. It’s a simple process that you can figure out and do yourself in most cases.
1. Warning! Don’t Fool Around With Data Carelessly
GDPR applies to you if you’re processing (dealing with) data of EU citizens.
This includes storing names, emails, cookies or IP addresses, either at rest (in files on your computer, database, cloud server, on a list of your email provider, etc.) or on the move (meaning sending it by courier, fax or email, for example).
As a start, here’s what you should consider:
1-2 Take prior written consent of the concerned people whose data you’re dealing with. It’s good practice to have separate consents for each purpose of use. Do not combine consents or use already checked boxes. Keep a file for those consents.
1-3 Data Minimization. Acquire data only when it is necessary. Give access only to people who are required to have this specific information. Don’t take excess data than needed to perform your job. And don’t keep the data on your system for longer than required.
1-4 Secure data and especially sensitive data. Sensitive data is more important data about a person such as financial, religious, and political information etc. It’s good practice to use encryption, pseudonyms, project codes, passwords, vaults, authentication or other security tools reasonable to your situation.
2. Who On Earth Are Data Subjects?
2-1 When the GDPR mentions data subjects, it means any EU citizens whose data you are dealing with. This applies to everybody you may deal with including your clients, vendors, affiliates, partners, employees, suppliers, contractors, subcontractors, and people on your email lists.
2-2 Make sure you take the consent of people whose data you deal with and that they know exactly how you will use their information. Then only use this data for the purposes you took consent for (their prior written approval).
Let’s say someone signed up for your freebie. Send them your freebie only, and don’t put them on your email marketing list to send them other promotion on your activities or try to sell them your latest book, coaching, or online course. You need to have a separate consent to do that.
2-3 Design a data map for your business.
A data map keeps track of the data you collected, what kind of data you have, where it comes from, for what purpose you collect it, when and for how long you will keep it, where you save it, with whom you share it, how you secure it and where you save the documents and files that relate to it.
You’ll find a template for how to make your own data map in the resource list hereinbelow.
2-4 It’s good practice to keep those records for 7 to 10 years depending on the tax and data protection laws of your country. You should identify in your records on which basis you got the data (law, contract, consent, etc.)
2-5 Your data subjects have the right to know what data you have that relates to them, they should have the ability to be forgotten, to correct their data or update it, to be completely deleted from your system, or just unsubscribe from your lists, products or services if they so wish.
Make sure that you have a system to automatically deal with these situations in a timely and efficient way.
3. Hedge Legal Risk By Raising Awareness
3-1 It’s good practice to raise your employees’ awareness about privacy and data protection. The issue affects more than just businesses.
Hacking has become a major concern for all businesses, so make sure you and your employees are well educated about cybersecurity and privacy issues.
It’s recommended to know how to deal with these issues, how to react in a timely and positive way if necessary, whom to report to in case your data is compromised, and what to do about it in a proactive way that doesn’t negatively affect your reputation, finances, or entire business.
3-2 It’s good practice to use data protection self-assessment tools, templates, and checklists to make sure you’re in good standing. Attending conferences, awareness raising events, and workshops would also keep you updated on the latest developments.
Check these EU guidelines on self-assessment to know more.
As a Final Note…
Your overwhelm can easily be overcome by adopting good information handling. Doing this makes good sense, will make you feel ahead of the majority of your competition, and is good business practice that will make you feel well accomplished.
Compliance, privacy, data protection, and cybersecurity are considered as competitive advantages that enhance your business’ reputation, increase customer and employee loyalty, as well as reduce your business operating and legal risk.
Following these legal tips I just mentioned ensures your client data and information is accurate, relevant, and secure. This saves you both time and money in the long run.
The best you can do right now is to make sure you comply with data protection laws in your country. Find out what you need to do to ensure you are keeping people’s personal data secure.
Look for resources, tools, and support to help you improve your data protection compliance.
Trust me, if you’re like most of my clients who went through this process and became GDPR compliant, you’ll feel really good putting this GDPR issue to bed.
It’ll feel awesome when you rest assured that you’ve got your back covered by minimizing your business risks.
Remember, the law only respects those who respect it!
N.B. Check the legal and IT resources below for more in-depth information.
Disclaimer: This article, the enclosed legal and IT resources, websites, and links are not construed or shall be interpreted by you as legal advice, recommendation, consultancy, advice, or service, but rather my personal views, information, and educational guidance to help you digest the new GDPR law and present you with tools to put it into practice.
GDPR Summary for Small Businesses
I’m sure you’ve heard of this new four-letter word law called (“GDPR”) popping up all over the internet. This law has entered into force on the 25th of May 2018.
That’s big news for you, if you are dealing with data of EU citizens. It’s a big day for us corporate lawyers to witness the General Data Protection Regulation (“GDPR”) going into effect and we are here to help you get your GDPR compliance sorted out.
We’ve started taking GDPR seriously many months ago because it was an issue that had most of our clients worried and overwhelmed.
We also had to comply ourselves by adjusting our privacy and cookie policies, terms of service, disclaimers, landing pages, pop-ups, newsletters, freebies and email lists to the new regulations.
Due to the fact that there weren’t a lot of really easy, understandable, and actionable legal resources freely available, I thought it may be helpful to document what I did and offer you free bitesize information, guidance, and education on GDPR.
Hoping this will save you the effort of digging into the 261-page law yourself, which trust me, was a nightmare even for us lawyers.
1. What’s GDPR?
The General Data Protection Regulation (“GDPR”) is a European Union (EU) Law effective as of May the 25th, 2018.
2. Why is it Important? Are there Risks and Fines?
It gives EU citizens control over the privacy of their data and revolutionises how the data is processed and shared by large organizations across the world.
Breaching GDPR exposes you to large fines up to 4% of a company’s annual global revenue or €20 million (whichever is greater). This are serious legal, financial, operational, and reputational risks involved.
Sanctions start with a warning, then a reprimand, then a suspension of data processing, then the large fines.
3. Who are EU Data Subjects?
Data Subjects: means EU citizens or natural persons residing in the EU.
4. How to Lawfully Process Their Data?
Small businesses can lawfully process EU Data Subjects based on three reasons:
Written Consent, Legitimate Interest, and Contract Fulfillment.
5. Data (Personal vs Sensitive)
Personal Data: means any information relating to an identified or identifiable natural person (‘data subject’). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Sensitive Data: means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.
6. Where’s the Territorial Scope of GDPR?
- Controllers and processors established within the EU.
- Controller or processor not established in the Union but processing of personal data of residents in the EU, where the processing activities are related to:
- Offering goods or services (paid or free) to EU data subjects.
- Monitoring of their behaviour as far as their behaviour takes place within the EU.
7. Who are Data Controllers and Processors?
Data Controller: means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Data Processor: means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
8. What are the Data Collection Principals?
Lawfully, Fairly and Transparently – Purpose Limitation – Data Minimisation – Accuracy – Storage Limitation – Integrity and Confidentiality- Controler Accountability.
9. What’s Data Processing?
Data Processing: means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
10. How to Comply?
Review the GDPR, your local Data Protection Laws, authorities published best practices to know what wording or legal requirements are necessary to include in each of the following legally required sections on a website:
Cookies are files stored on your computer that tells your browser your preferences and your behaviour on websites. Cookies can also be used for marketing and advertising. There are session, persistent, necessary, functional, and performance cookies. Each of which does a slightly different job. Cookies are used by most websites.
Your website Disclaimer limits your liability to lawsuits and fines. It tell your audience, visitors and clients what you don’t assume liability for and how you limit your responsibility.
11. REPs. vs DPO
Representative: means a natural or legal person established in the Union who, designated by the controller or processor in writing pursuant to Article 27, represents the controller or processor with regard to their respective obligations under this Regulation.
Data Protection Officers (“DPO”): Data Controllers and Processors shall appoint a DPO if:
– They perform regular and systematic monitoring of data subjects on a large scale.
– The core activities consist of processing on a large scale of special categories of data.
– The data protection officer may be a staff member, or a third party who fulfils the tasks on the basis of a service contract.
– The contact details of the data protection officer shall be published and communicated with the supervisory authority.
23.02.2019, Biel/Bienne, Switzerland.
As a corporate lawyer and certified cybersecurity professional, I manage E- Corporate Lawyers (“ECL”), an online legal platform that helps entrepreneurs, business owners and investors start, secure, scale or sell their businesses or investments.
ECL offers its magic circle clients legal, marketing and management consultancy to grow their businesses, investments and online presence.
If you need a further legal assistance I can personally help you through my regulated law firm.
Here are some further free resources that you might find helpful if you’re keen to learn more about GDPR:
1- Legal Resources
- EUR-LEX GDPR Law in English
- EUR-LEX GDPR Law in French
- 12 steps to prepare for GDPR
- Swiss Data Protection Law
- Cantonal Data Protection Authorities in Switzerland
- International Data Protection Authorities
2- Cybersecurity Resources and IT Tools
3- GDPR IT Tools and Implementation Resources
- GDPR-Ready Saas Vendors
- Data Map Template
- Email List Cleaning and Maintenance Tools
- GDPR Compliance Statements
- Enable GDPR
- Infusionsoft GDPR Webinar
- MailChimp GDPR Frequently Asked Questions
- How To Add A Check-Box To A Convertkit Form For GDPR
- WordPress GDPR Plugin
- Data Protection Representative
- Google Cloud GDPR
- OECD Privacy Statement Generator
4- WordPress Plugins