GDPR Basics for Small Businesses

I am sure you’ve already heard about the GDPR. But do you know what it is really about? Well, in this article I have prepared a summary of the GDPR basics every small business should know before targeting customers based in the European Union (EU). The information present in this article will help you understand what the GDPR is about and why it is important to implement it in your business.

What is covered in this article:

  1. What is the GDPR?
  2. GDPR Articles
  3. The 7 Principles of the GDPR
  4. The Rights for Individuals
  5. Other Important Aspects for Small Businesses
  6. Dos and Don’ts

Note: The GDPR information provided in this article serve only as a base for you to consider GDPR requirements in your online business and marketing activities. You should contact your lawyer of business consultant to obtain advice with respect to the actual implementation of GDPR requirements within your business.

1. What is the GDPR?

GDPR stands for General Data Protection Regulation, which came into effect on 25th May 2018. Designed to strengthen the rights of EU residents regarding their personal data collection and processing by businesses and other organisations, the GDPR is the EU’s new data privacy and security law.

With the GDPR, the EU emphasizes its firm stance on data privacy and security, while imposing obligations onto businesses worldwide that target or collect data related to people in the EU. In line with the GDPR, businesses can get harsh fines if they violate its privacy and security standards, with penalties of even tens of millions of Euro.

2. GDPR Articles

The GDPR is the toughest privacy and security law in the world. Even though there are a few exemptions related to data processing activities, when it comes to small businesses (those with fewer than 250 employees), you should not assume that you are not liable for breaching the GDPR, because you have a small business.

When it comes to the long GDPR document, which includes 99 articles, the following are the main proposed Articles that you should read as a small business owner:

  • Article 4: Definitions
  • Article 5: Principles relating or processing of personal data
  • Article 6: Lawfulness of processing
  • Article 7: Conditions for consent
  • Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject
  • Article 13: Information to be provided where personal data are collected from the data subject
  • Article 14: Information to be provided where personal data have not been obtained from the data subject
  • Article 15: Right of access by the data subject
  • Article 16: Right to rectification
  • Article 17: Right to erasure (‘right to be forgotten’)
  • Article 18: Right to restriction of processing
  • Article 19: Notification obligation regarding rectification or erasure of personal data or restriction of processing
  • Article 24: Responsibility of the controller
  • Article 25: Data protection by design and by default
  • Article 30: Records of processing activities.

However, other articles might be relevant to your business, depending on your activity, so you should take a look at the GDPR. Here you can find the official PDF document with the current version of the General Data Protection Regulation.

3. The 7 Principles of the GDPR

The GDPR specifies a number of data protection principles, which drive compliance. These can be summarised into seven key principles related to the lawful processing of personal data.

As defined in the GDPR (Article 4: Definitions, (2)), processing “means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.”

Broadly, the seven guiding principles of the regulation and compliant processing of the GDPR are:

  1. Lawfulness, fairness and transparency
  2. Purpose limitation
  3. Data minimisation
  4. Accuracy
  5. Storage limitation
  6. Integrity and confidentiality (security)
  7. Accountability.

According to the GDPR, personal data shall be:

  • Processed lawfully, fairly and in a transparent manner
  • Collected for specified, explicit and legitimate purposes
  • Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
  • Accurate and kept up to date
  • Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed
  • Processed in a manner that ensures appropriate security of the personal data.

4. The Rights for Individuals

In the GDPR are listed and explained the rights of the data subject (i.e. individuals), which are related to:

  • Information (Articles 13 and 14)
  • Access (Article 15)
  • Rectification (Article 16)
  • Erasure (Article 17)
  • Restrict Processing (Articles 18 and 19)
  • Data Portability (Article 20)
  • Object (Article 21)
  • Automated Decision-Making (Article 22)

As a business owner, it is important for you to understand the rights of individuals that are protected by the GDPR. Knowing these rights will also help you understand your obligations and requirements to keep your business compliant with the GDPR.

If you have any doubts about any of the above stated rights, I suggest you read the whole article explaining that right.

5. Other Important Aspects for Small Businesses

You need to understand that as a small business owner, you are liable for acting non in compliance with the GDPR, just like any other company.

It is critical to ensure that every person in your database has given explicit permission to send them promotional emails. Therefore, in order to build your contact database in line with GDPR requirements, when collecting personal data you must achieve consent through opt-in. This means that you need to have an opt-in form, where you ask customers for their permission to store and use their data.

Also, each person should be able to withdraw their consent (opt-out or unsubscribe) at any time, in which case you need to immediately remove them from your database. As such, if you send emails through a marketing automation software, you could receive a penalty for emailing someone who has opted out or unsubscribed.

As a small business, you are exempt from having to keep records on your data processing activities. Also, in case of data breaches, if you can prove with your detailed record-keeping and data protection processes that your policies and processes are designed to adhere to GDPR, in case of breach the authorities might levy a harsh fine against you. However, if you did not make any effort to comply with GDPR, they will more likely issue a higher fine.

6. Dos and Don’ts

Here you can find some dos and don’ts to summarise key actions in relation to your small business compliance with the GDPR.

Do:

  • Ensure all your contacts have actively opted-in to receive your marketing communications.
  • Ensure your contacts gave consent for each of the purposes of your data collection.
  • Ensure you have proof/evidence that your contacts gave active consent.
  • Allow your contacts to withdraw their consent at any time and in an easy way.
  • Provide the option to unsubscribe or edit preferences in every email you send to your contacts.
  • When a contact withdraws their consent, ensure they are deleted from your database and that no further automated marketing communications are sent to them.
  • Have a cookie consent banner, Privacy Policy and Cookie Policy on your website, e-commerce or landing page.
  • Prepare an action plan in case of data breach.
  • Make sure you understand your GDPR data protection responsibilities.

Don’t:

  • Add contacts automatically in your database if they have not actively opted-in and given consent.
  • Buy or use contact lists from third parties.
  • Add contacts from LinkedIn or other social media channels, or company websites.
  • Assume that consent is generic and that you can use personal data received for various purposes and communications.
  • Use pre-ticked boxes when acquiring a contact-they need to actively opt-in.
  • Ask contacts to provide unnecessary personal information.
  • Ignore a data breach.
  • Assume you are not liable for breaching the GDPR, because you have a new small business.

Apart from GDPR tips shared in this article, I have prepared other business start-up tips for beginners you might benefit from reading.

I hope this article helped you understand a bit more about what the GDPR is about. However, please note that the information provided serve only as a base for you to consider GDPR requirements in your small business and marketing activities. As mentioned earlier, it is wise to consult an experienced business lawyer to obtain advice with respect to the actual implementation of GDPR requirements within your business.

Make sure you comply with GDPR requirements within your marketing activities and operations. If you need help with web design and development, email marketing and other marketing support services that ensure compliance with the GDPR, you can contact us.

Do you need help with GDPR-compliant marketing?

Posted in

Dr. Natasa Kobal is a marketing and international business expert, who believes in creating solutions that accelerate SMEs’ sustainable growth. She is the Owner and Founder of IB4SME, a business consulting and training brand that empowers SME owners and decision-makers internationally with the skills and support they need to successfully manage their businesses. With a PhD in business management, combined with 18 years of experience in international marketing, Natasa manages all IB4SME business consulting solutions and services.

Dr-Natasa-Kobal-IB4SME-Blog-150x150
Scroll to Top