GDPR Compliance Checklist for Home Businesses
Make Sure Your Online Business is Compliant
On May 25, 2018, GDPR went into effect. At the time, you may have seen a lot of articles about it and wondered if applied to your home business.
If you haven’t yet sorted out GDPR, here is a brief overview of what it is, why you may have to comply, and a checklist to make sure you’ve done what you need to do to avoid problems.
What is GDPR?
GDPR stands for General Data Protection Regulation, and it’s one of the largest global privacy laws designed to protect consumers online by having transparency and consent on what data is collected and how it’s used.
Because it was passed in the European Union (EU), many small and home businesses outside that area didn’t think it impacted them. Other businesses that didn’t sell anything or “collect” data, such as blogs, didn’t think they had to comply either; however, chances are they were wrong.
Who is required to be GDPR compliant?
Any online business that reaches EU consumers should be compliant. If you run a food blog that has readers in Europe, you need to be compliant. Even if you don’t collect email addresses (i.e. for your newsletter) or accept blog comments, chances are you’re collecting some sort of data whether it’s Google Analytics or through a third-party, such as an affiliate program.
In the end, it’s better to be safe than sorry. While understanding and implementing GDPR tasks is a bit confusing, it should be done to protect you from fines, which according to GDPR could be up to ten million Euros (or two percent of annual revenues) for a lower-end infraction.
This goes up to twenty-million and four percent for bigger infractions.
GDPR Checklist for Home Business Owners
Here is a checklist to help you get your website GDPR compliant:
Part One: Preparing
- Determine all the sources of data collection on your website. This includes:
- Commenting options
- Email collection
- Google Analytics
- Third-party vendors and tools (PayPal, affiliate sales, list service, affiliate programs, etc)
- Write down how, why, and how long you keep this data. For example, why would cookies be collected and how long do they last?
- Identify the “lawful” basis for collecting this data. GDPR has six categories:
- Consent – Web visitor gave consent
- Contract Necessity – Data is needed to fulfill a contract
- Legal Obligation – Data is required to meet regulations or the law
- Public Interest – Mostly used by governments to provide public interest
- Vital Interest – Data is required to secure the health and wellbeing of others
- Legitimate Interest – Website can show a compelling legitimate reason for collecting the data
- Have a system for keeping records on all the data collected in case you need to defend yourself. For example, you should have information on how you collect consent.
Part Two: Making Your Online Business GDPR Compliant
- Create a consent policy and implement it. The GDPR requires that consent be explicit, clear and specific. It might seem obvious that a person entering their email into your web-form they’re giving consent, but GDPR would likely disagree. Instead, you need to have a clear statement about what the email will be used for, how the person can get off the list, and for best protection, require them to check a box giving explicit consent. This box can’t be automatically marked. They have to click it when they enter their name and email.
- Have a way for people to contact you about their data. GDPR gives consumers the right to be informed about data collected, as well as access to what you’ve collected, and how they can rectify (change) data or have it completely removed.
- Boost your website security. Many website breaches are because hackers are stealing data. Make sure your website is as safe as possible from this, and have a policy of how to let your visitors know if there has been a data breach. Adding https:// to your site is a good start, and will help you in Google rankings.
- The data you collect such as email, transferred or shared data (i.e. using a third-party payment system), cookies used, and third-party resources you use in managing the site such as your email system, Google Analytics, survey tools, WordPress, etc.
- Types of information collected including personal (name and email) and anonymous (i.e. IP address, cookies, etc)
- Ways data is collected such as order forms, commenting features, and feedback.
- What security you have to protect the data.
- Whether or not the site is suitable for children and if data is collected on children who visit the site.
- Rights your visitors have in regards to their information. This is where you let your visitors know how they can opt-out such as from your email list, how they can access the personal information you have on them, how they can change the personal information you have on them, and how they can have you “forget” or delete their data. If you collect any data required by law, be sure to let them know about that. You might remind people to not submit super-secret personal data.
- You might include a consent box at the end of your privacy to have people click it. It’s also a good page to include a form to request information about the data you have or if they want their data removed.
- Write or re-write your Terms and Conditions page. This is a pretty lengthy page that outlines legal terms and conditions for using your site. It generally covers a host of topics including, terms, product information including cancellations and refunds, intellectual property and trademarks, privacy, and more.
- Check that third-party resources you work with are also compliant. You might be judged by the company you keep. If you're referring your clients, customers or visitors to a third party that isn't compliant, that could be a problem.
- Refresh consent with your current members and subscribers. Technically, you only need to do this with EU consumers, but it doesn’t hurt to update your list and make sure people want to continue receiving what you’re sending them. In this case, you email asking them if they still want to get what you’re sending and there should be a mechanism by which they consent to stay on the list.
Overwhelmed? Dealing with GDPR is a lot and much of it is legal mumbo-jumbo. There are templates and other free resources online you can use to help. Or there are plugins (for WordPress) and other tools that can add to your site, and you simply tweak them to fit what you do and offer. Because it is a legal issue, having an attorney knowledgeable about GDPR is ideal if you can afford it.
To learn more about GDPR, check out the following resources:
GDPR – This is the official regulation documentation
ICO’s GDPR Steps for Micro Business Owners – This is a PDF from the Information Commissioners Office in the U.K. that outlines 8 steps to GDPR compliance.