miami GDPR business attorney

5 Things Your Creative Small Business Needs to Comply with GDPR

In the year (almost) since the General Data Protection Regulation (GDPR) went into effect in Europe, you have likely at least heard of it. You may even know enough about it to be worried about it. But, do know what to do about it? In this post, we are going to cover the five things that you need to know about GDPR if you own a small, creative business (yes, even here in the US).

GDPR Impacts Businesses Around the World, Not Just in Europe

GDPR, at its essence, is a set of regulations put in place in Europe to protect consumers’ online data privacy. To do so, it puts responsibilities on businesses with regard to how they handle, process, store, and use customer data, and because it’s related to online business dealings, it impacts anyone who interacts with this virtual data (Read: pretty much everyone).

This Isn’t One of Those Laws that Has No Consequences

In fact, the consequences for failing to comply with GDPR are pretty steep — in the range of $24 million or 4% of your business’ global revenue, whichever is higher. So, it definitely makes business sense to take a few hours to make sure you fully understand how GDPR impacts your business. As a starting point, take a look at our in-depth blog post about how GDPR can impact small business owners.

Consent is the Name of the Game

GDPR provides a few specific ways that businesses may gather and utilize consumer information. The primary permissible way is by consent, meaning the consumer gave your business permission to store or otherwise use their data. Consent is important, but it’s not carte blanche to do whatever you want with customer data. That said, it is important to include some kind of active acknowledgment (affirmative action of consent) of consumer consent, something like a checkbox works well. A few pointers on consent:

  • Customers should be able to understand what they are consenting to (something like, “we collect data to better serve you!” is not enough. Be specific).
  • This information can be provided in the privacy policy (discussed in detail below), but there has to be a way to read the privacy policy before clicking consent.
  • Only use the gathered information for the purposes described in the consent statement.

Err on the Side of Transparency 

Throughout GDPR, transparency is a major theme. Basically, these regulations favor businesses that are open and honest about their policies, procedures, and purposes for storing consumer data. Not surprisingly, GDPR doesn’t allow saying you will collect data for one purpose, and then using it a different way.

Here’s an easy example that a lot of creative entrepreneurs are using: the free report. Many small businesses (ours included) offer a high-value piece of content for free on their site as a way of demonstrating what they do. To download or access this free report, many businesses will require that the consumer provide his or her email address. Then, that email address is redirected into a mailing list for the purposes of future communication. That whole system is fine, as long as you have made it clear from the very beginning that the purpose of providing an email address is to subscribe to your business’ mailing list. Failure to be transparent about this, and then to use the consumer data in a way other than the purpose for which it was provided (to email the free report), would be a violation of GDPR.

If You Write a Blog, Send Email Blasts, or Store Customer Information, You Need a Consumer Data Protection Plan

One of the big requirements of GDPR is that personal, private data should be stored securely. Your business, as an entity that safeguards others’ personal data, needs to take appropriate measures to protect that information. That doesn’t mean every small business needs to install private servers and encrypted data storage facilities, but it does require certain safeguards be put in place.

Here are a few tips:

  • Consumer data should not be stored on a portable device (like your phone)
  • You should never share your login information with anyone
  • Use strong passwords
  • Office files and other places where customer information is stored should be password-protected
  • Even better, store customer data on removable storage, such as a USB or external hard drive
  • While not specifically required, it is recommended that all websites have encrypted connections (https v. http)

Start Taking Action Today 

If you haven’t done so already, make a little time this week to start looking at how GDPR may impact your small business. Make a list of the kinds of personal data you collect, so you know what your actual liabilities are. Take into consideration the information you actively ask people for,  as well as the information that is passively gathered by your systems such as WordPress, Squarespace, MailChimp, Google Analytics, and others. Organize this data by type (name, address, credit card information, etc.) and source. Determine why you store this information and whether you need to.

Publish a GDPR-Compliant Policy! We will be going into more depth on this subject next week (keep an eye out here on the blog!), but one of the best ways to demonstrate your business’ effort to comply with GDPR is to draft and publish your Data Privacy Policy. This policy should include:

  • What kinds of data you collect and for what purpose
  • Who you might share data with (if anyone)
  • What kinds of cookies are used on your blog
  • What steps you have put in place to protect consumer data
  • What your customers/readers/subscribers are consenting to by providing their information and how to withdraw consent in the future

If you already have a privacy policy, make sure you review it to ensure it is GDPR compliant.

Reach Out to the Experienced Professionals at The Brand Protected ® to Learn More

At The Brand Protected ®, we make every effort to stay informed about important legal developments that impact our small business clients. If you are concerned about GDPR compliance, or if you are not sure how/whether these regulations apply to your business, please make an appointment with me. I will be happy to walk through your business’ data privacy responsibilities with you and help you determine what changes you may need to make. Click here to schedule an appointment.