Updated Friday 4th May 2018 with added information regarding cookies and exsisting subscribers.

GDPR is the EU’s big new data protection regulation that takes over from the Data Protection Act 1998. It comes into effect on 25th May 2018 and will impact what it means for you to do business online in the EU.

In this post I will look at what GDPR is, what it says, what compliance means for you, and how you can use it to your advantage.

What is GDPR?

GDPR stands for General Data Protection Regulation. It will replace the existing regulations that dictate how companies are allowed to collect, store and use the personal information of their customers or clients. It is designed to give control of personal information back to the people over the interests of businesses.

What does GDPR say?

The legislation in these new regulations include:

1. The right for people to access, correct, delete or transfer any personal data held about them on any company system.
   • What accounts for personal data?
     • Name
     • Address
     • Location
     • Online identifier (i.e. IP Address)
     • Health information
     • Income
     • Cultural profile
2. Knowing and understanding the legal grounds for processing.
   
   • Consent: The individual has given clear consent for you to process their Personal Data for a specific purpose.
   • Contract: The processing of Personal Data is necessary for a contract you have with an individual, or because they have asked you to take specific steps before entering into a contract.
   • Legal obligation: The processing of Personal Data is necessary for you to comply with the law.
   • Vital interests: The processing of Personal Data in necessary to protect someone’s life.
   • Public task: The processing of Personal Data is necessary for you to perform a task in the public interest or for your official functions, and the task of the function has a clear basis in law.
   • Legitimate interest: The processing of Personal Data is necessary for your legitimate interests or the legitimate interests of a third party unless there is good reason to protect the individual’s Personal Data which overrides those legitimate interests.

    

3. The need for companies to gain explicit consent from citizens for their personal data to be held and they must also save this consent.
   • Companies must:
     • Use plain language in their communication
     • Tell the person who they are when they request any data
     • Say why they are processing the person's data
     • Say how long they will keep the data stored
     • Say who else, if anyone, will receive the data
     • Write down how they asked for that data
4. The legal obligation for companies to inform data authorities and consumers about breaches of data security, within 72 hours of them occurring.
   • What is a personal data breach?
     • A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
   • What breaches do we need to notify the ICO (Information Commissioner's Office) about?
     • When a personal data breach has occurred, you need to establish the likelihood and severity of the resulting risk to people’s rights and freedoms. If it’s likely that there will be a risk then you must notify the ICO; if it’s unlikely then you don’t have to report it.
5. Give people access to their data and the ability to take it with them.
6. Give people the ‘right to be forgotten’ and erase their data if they ask.
7. Give people the right to opt out of direct marketing.

Who does GDPR apply to?

It doesn’t matter where you are based, GDPR applies to all companies that offer products or services to anyone within the EU. The Queen’s Speech confirmed last year that the GDPR will become part of UK law following the country’s withdrawal from the European Union.

GDPR doesn’t just apply to online shop owners, GDPR compliance also applies to companies like Google, Facebook, MailChimp, Shopify etc. More on them later.

What about data collected before GDPR?

The GDPR requires that you provide people with your privacy policy at the point of data collection. If you collected data prior to 25th May 2018, you should ensure that your customers were provided with a privacy policy that met the requirements of the Data Protection Act.

If they weren't given this privacy policy, you’ll need to provide them with your new privacy policy required under the GDPR. You’ll also have to do this if you have changed the way you handle Personal Data after 25th May 2018 due to GDPR.

How does GDPR apply to small businesses?

GDPR effects companies of all sizes. From a one person studio to a company of thousands. If a company handles data about European Union citizens, then GDPR applies.

You should be aware that GDPR doesn’t treat small online businesses the same as large corporations. So for example there are certain record keeping requirements that only apply to companies that have more than 250 employees. But there is still action you need to take.

Is this different from the Cookie Law? 

Yes. Cookies fall under the EC Directive and GDPR is focused on ‘Personal Data’ although there is a slight overlap, because some cookies collect IP addresses and this counts as ‘Personal Data’ when the GDPR regulation starts. All websites use cookies to work. However some do not collect Personal Data and do not fall under GDPR. Some cookies are essential for the website to work i.e. an Ecommerce site and some cookies can be very simply edited so that no Personal Data is taken (i.e. Google Analytics) and so do not fall under GDPR. These can continue as they are, until the new ePrivacy Law comes into effect.

When is new ‘ePrivacy Law’ going to start? 

Originally, this was due to start along side GDPR. However, the EU being the EU are taking longer to debate all the issues and so this new law has been delayed until possibly Spring 2019. About a year from when GDPR starts.

Do I need to change anything about my cookie policy now? 

Although the introduction of the new ePrivacy law has been delayed, you could take this opportunity to update your cookie policy. With regard to your cookie policy, the main thing is to understand what you are using cookies for and clearly state this in your cookie policy. As long as you explain this to your website users and make the information easy to find, you should be okay. The more you do now, the less you’ll need to change next year. The new ePrivacy Law is exspected to focus on browsers, in that the browser will ask you about cookies, rather than the website itself, based on information we have so far.
This means that getting consent to track online browsing habits will fall into the hands of the four main companies, representing 90% of the browser market: Google (Chrome), Apple (Safari), Mozilla (Firefox) and Microsoft (Edge). This is a step in the right direction in my opinion. Although you will still need to have a clear and compliant cookie policy.

There are cookies that fall under the rule of GDPR as they collect Personal Data i.e. IP address. These cookies should require an opt-in for the user before they are activated on your site. You will need to do a cookie audit on your site to find out what cookies you use, what data they hold and how you should implement that into your own site.

What should shop owners do to be GDPR compliance? 

In order to comply with GDPR, companies which handle personal data must fully understand what kind of data they hold, where they hold it and who has access to that data. To know this, a company-wide data audit is recommended and should be carried out as soon as possible.

During your data-audit you might want to consider answering the following questions:

1. What personal data do you store on your customers?
2. Do you need all that data?
3. Did you get the required consent for the collected data?
4. How long have you held the data for?
5. Do you still need to keep the collected data?
6. Do you need to update your privacy policy to comply with GDPR?
7. Is the collected data encrypted and secure?
8. Do you have a valid SSL Certificate on your website?
9. Is the data backed up and is that backup server secure?
10. If any member of staff looks after the admin area of your site, are they fully informed about GDPR?

At the heart of GDPR compliance is simply protecting people’s data. That means you can limit your exposure by not collecting data that you don’t need.

If, for example, you only sell virtual products online, and there is no value in knowing the customer's home address, then the incentive with GDPR is not to ask for their home address in the first place. A good rule of thumb might be to only show required fields at checkout, rather than all of them. If you are not going to use the information collected, don’t ask for it.

For companies that have under 250 employees, most of GDPR compliance is just about being honest. If you are honest and transparent and you implement best practices, you shouldn’t get fined.

What about your marketing tools and GDPR?

Even if you have done everything you can to be GDPR compliant there is still the small matter of your marketing tools. Are they GDPR compliant?

Most small businesses use tools to help promote themselves and to do that they use tools to collect data. Analytics, Social Media, Email etc, all help your business, but are they GDPR compliant? Can you still use them and how can you find out?

Google Analytics

It’s likely that your company uses Google for its Analytics as it’s the world’s most used analytics solution. You will be pleased to know that Google have gone out of their way to be GDPR compliant by 25th May, but you may have to do a little work to make sure that the analytics code on your website is not collecting Personally Identifiable Information (PII).

Under the GDPR, an IP address is considered PII (Pesonal Data) and so to be safe, I recommend anonymising IP addresses for all events by updating your analytics code by setting the anonymise_ip parameter to ‘true’. This will ensure that any IP addresses that are taken are anonymous and so cannot be recognised as PII. This may however, reduce the accuracy of Geolocation.

You may want to seek help from your website administrator to make sure the code is implemented on your site correctly. Below is the code you are looking for, where ‘GA_TRACKING_ID’ is your unique tracking ID number:

gtag('config', '<GA_TRACKING_ID>', { 'anonymize_ip': true });

The changes you need to make to your website depend on which type of tracking code you’re using. Click here to see if you have Classic Analytics (ga.js) or Universal Analytics (gtag.js).

There are a few other changes that you can make to your Google Analytics setup so that you’re moving in the right direction. You can update your Privacy Policy to include the fact that you use Google Analytics code. And, give the user the option to opt-out of tracking altogether by informing them how to opt out at a browser level.

MailChimp

MailChimp is the world’s leading email subscription solution for small businesses and so many of you will be using it to compile your mailing lists, but will it be GDPR compliant?

The short answer is yes.

Like Google, MailChimp has done a lot of work to make sure that they are fully GDPR compliant by 25th May 2018, which is great news for small businesses. However, although MailChimp will be securely storing your customer’s data, it is your responsibility to make sure that you have only collected the relevant data and more importantly, you have clear consent to collect that data in the first place.

Does GDPR say that I have to contact existing subscribers?

GDPR requires that you provide people with your privacy policy at the point of data collection. If you collected Personal Data in the form of a subscriber to your mailing list prior to 25th May 2018, you need to ensure that the subscriber was provided with a privacy policy that met the requirements of the Data Protection Act, that they opted in (no pre-ticked boxes) and that there was enough information that told them exactly what they were signing up for.

If they weren't given this privacy policy, the box was pre-ticked or the information regarding what you will do with the email address was lacking, you’ll need them to re-opt-in to your newsletter. However, if you had a privacy policy available at the time of data collection, the user had to opt-in (no pre-ticked boxes) and there was clear text explaining what you will do with the email address, you will not need to get people to re-opt-in to your newsletter.

Does GDPR say that I have to use double opt-in?

No, there is no requirement under GDPR that says you have to use the double opt-in process. However, it's a good idea that you do. Although double opt-in may not be a GDPR requirement, it falls under ‘Marketing best practices’. It significantly increases the quality of genuine customers and avoids data submitted to your site by online bots or unscrupulous sources.

To make sure your MailChimp lists are double opt-in, simply login to your MailChimp account, click on lists in the top menu and click your list. Click on the Settings dropdown menu and choose ‘List name and defaults’ from the options available. Under form settings you should see the option to Enable (ticked box) or disable (unticked box) double opt-in.

Note!

Double opt-in can only be enabled for MailChimp signup forms. If you use a plugin on your website to collect your customer's data, it may not activate the double opt-in feature and your customers will not be asked to confirm their email address, which results in you using the single opt-in feature. This is very important if you are using the double opt-in window as part of your GDPR complience.

How should you ask for consent after GDPR?

Forms that invite users to subscribe to your newsletter (e.g. at checkout) or indicate contact preferences must default to ‘no’ or must be blank to meet the GDPR requirements on being specific, granular, clear, prominent, opt-in, documented and easily withdrawn. You will need to make sure that all your forms ensure this is the case. The key points are:

• Active opt-in: Forms that have a pre-ticked opt-in box, forcing the user to actively opt-out, will be invalid. Boxes must be empty to start with.
• Unbundles opt-in: The consent you are asking for should be set out separately for accepting terms and conditions, and acceptance of consent for other ways of using data, such as a newsletter. Consent should not be a precondition of signing up to a service, unless necessary for that service.
• Granular opt-in: Users should be able to provide separate consent for different types of processing, i.e. Post, Email, Telephone etc.
• Named parties: Your web forms must clearly identify each party that the content is being granted for. It isn’t enough to say specifically defined categories of third-party organisations, they need to be named.
• Documented: You will need to keep records to demonstrate what the individual has consented to, including what they were told, when they were told and how they consented (e.g. what did you ask the customer for them to sign up to your newsletter).
• Easy to withdraw or Opt-out: It must be just as easy to remove consent as it was to grant it and individuals always need to know they have the right to withdraw their consent at any time. This means you will need to have simple and effective withdrawal mechanisms in place (e.g. an easy to find Unsubscribe link on your newsletter).

Online Payments

If you are a business with an online shop, then you are likely to be using a payment gateway for all your transactions. Your website may be collecting personal data before it passes the data onto the payment gateway.

If this is the case, and your website is storing this data after the information has been passed along, then you will need to modify your web processes to remove any personal information after a reasonable period, for example, 60 days. The GDPR legislation does not have a ruling on the number of days, so it’s up to your own judgement as to what can be defended as reasonable and necessary. The same rule applies for all the payment gateways you use.

Note!

• You might want to speak with your accountant as to what data is required for your business account records.
• You may want to consider what information you have on your customers if you run an ongoing subscription service.

Do you need to register with the ICO - Information Commissioner’s Office?

If you handle personal data, you may need to register as a data controller with the ICO. Registration is a statutory requirement and every organisation that processes personal information must register with the ICO, unless they are exempt. Failure to register is a criminal offence. You can register at the ICO here. Don’t know if you need to register? Take this self-assessment to find out.

What happens if I don’t comply?

If you are found to be in breach of the new GDPR guidelines, you may be fined up to 4% of your turnover, or 20 million euros. Whichever is bigger. That is the official wording from the IOC. However, they are not out to catch small businesses like yours and if you have a data breach, they are more likely to help you become compliant than fine you. As long as you have shown that you have trie dto be compliant. A willing disregard to GDPR will result in a different outcome.

If a data breach does occur, you must be prepared to report it within the 72-hour window, and be able to demonstrate your security and data privacy procedures very quickly.

Conculsions on GDPR for small businesses

So, what have we learnt?

• GDPR effects all businesses that interact with consumers in the EU, no matter where those companies are located.
• GDPR is a bit simpler for small businesses, which means GDPR compliance is different for your small (user 250 employees) business than it is for large companies.
• You need to pay attention to what information you are asking for.
• You need to say why you are collecting the data and what you plan to do wit it.
• You need to keep your collected data secure.
• You can help your business by making sure:
  • Your Privacy Policy is clear.
  • You have removed all pre-ticked boxes.
  • You are not collecting unnecessary data.
  • You make a note of how you ask customers for their data.
  • You respect the privacy of your customers and potential customers.
  • You allow your customers the ability to delete the data you have collected.
  • You have checked that all marketing tools and third party plugins that you use will be GDPR compliant by 25th May 2018.
• Extra thought is required if you run an online shop.
• Non-Compliance is not an option.

Essentially, as long as you are honest and open with your customers about the data you are collecting from them and you implement best practices, you will be fine. Be sure to complete your data audit by 25th May 2018 and you shouldn't have anything to worry about.

Resources:

• GDPR Portal
  
• MailChimp’s explanation document
  
• Check which Google Analytics code you have
  
• Opt out of Google Analytics at the browser level.
  
• Here the ICO’s official GDPR consent guide.
  
• Wordpress and GDPR.
  
• Woocommerce and GDPR.
  
• Shopify and GDPR.
  
• Self-Assessment of whether or not you need toregister with the Information Commissioner’s Office.
  
• And if you fancy a bit of light reading before bed, here's the actual text of the GDPR.

Disclaimer

This guide is not legal advice and by using it you agree to this disclaimer. The materials provided are for informational purposes only and do not constitute advertising, a solicitation or legal advice. You should not rely upon this information for any purpose without seeking legal advice. The information contained is provided only as general information and may or may not be useful to you in your current situation or reflect the most current legal developments; accordingly, information is not promised or guaranteed to be correct or complete.

If you have a comment or want to ask any questions about GDPR, please leave a message below.