Everything you need to know about Cloudflare
What is Cloudflare? What does it do? And what are the benefits of Cloudflare services? Find out everything you need to know about Cloudflare software.
Read More »Blog
Craig Greenup 15/03/24, 08:00
GDPR can seem big and scary to small business owners. There’s a lot of complicated legal lingo to get your head around.
That’s why we’ve created this simple guide to GDPR. In it, we cover the 7 data protection principles and the legal bases you can use to justify data collection. We also explore some of the things you need to run a GDPR compliant website.
In this guide we’re going to cover:
GDPR stands for General Data Protection Regulation. It’s a data privacy law that came into force across the UK and EU in 2018.
After Brexit, the EU version of the GDPR was replaced with (an almost identical) UK version. This is called UK GDPR and it’s the legislation that we work to today.
GDPR aims to protect personal information. By personal information, we mean things like:
Business owners have to follow GDPR. In doing so, they keep personal data safe and use it responsibly. They get an individual’s consent before collecting or using their data. And they have an effective and compliant way of storing it.
By sticking to GDPR, businesses (and other organisations) protect their reputation. They also make it less likely that individuals will fall victim to fraud or cybercrime. They protect the company from fraud and cybercrime, too.
UK GDPR follows seven data protection principles. These are:
These data protection principles are the foundation for GDPR.
If you collect personal data, you need to have a valid GDPR lawful basis to do so. There are six lawful bases for processing, as outlined by the Information Commissioner’s Office (ICO). These are:
Legitimate interests is the haziest GDPR lawful basis. You can only use it when you use people’s data in ways they could reasonably expect and in ways that have a minimal impact on their privacy. You can read more about the legitimate interests basis here.
Whichever lawful basis justifies your data collection, you need to explain it in your privacy notice.
Small business GDPR is no different from the standard rules and regulations. No matter how big or small your company, if you use and store personal information, you need to follow GDPR.
As a small business, you probably process a lot less personal data than a huge corporation. But you still have an obligation to keep that data safe and secure. And to use data in line with customer or client preferences.
If an individual is negatively affected because you don’t stick to GDPR guidelines, they can take legal action against you. They may be able to claim compensation.
The ICO also has enforcement powers. This means they can issue warnings and penalties if you don’t follow UK GDPR.
For cases where the ICO believes there is reckless or deliberate harm, it can issue fines of up to £17.5 million or 4% of your annual turnover, whichever is higher.
Whether you already have a website or you’re getting one built, GDPR is an important consideration. Here’s what you need to do to make a GDPR compliant website for your small business.
Start by carrying out an audit of all the personal customer data you currently store to see if it’s compliant. Soft opt-ins don’t count. So you need to delete the data of any customers who didn’t give their explicit consent.
Keeping records is an important part of GDPR compliance. You need to keep a record of all the personal data you keep on file. The ICO provides a data record template and explains everything you need to include.
You need to add a privacy notice to your site. This should explain how and why data is collected. It should also outline how the data will be used and how long it will be kept.
It should be easy for website users to access your privacy notice. Bonus points if you write it in simple, non-legal language that your users understand. Also, always include a link to your privacy notice when asking users to hand over personal information.
You have to get specific and explicit consent to collect and store user email addresses. This means users have to actively opt-in to mailing lists.
Some companies are ensuring they get consent by using a double opt-in method. They’re asking customers to tick a box to opt-in and then also confirm their email address before they’re added to the mailing list.
You should only keep personal data for as long as you need to. While the GDPR doesn’t specify time scales, it’s worth regularly checking that your customers want to stay on your database. Even if they’ve given their consent previously.
You should also make it easy for customers to unsubscribe from your emails. Add an unsubscribe link to the bottom of every email and make the unsubscribe process as simple as possible.
Website cookies are also covered under GDPR changes. If you want to use cookies on your site in order so you can use website analytics, then you must get consent from your users. You need to let users know that the cookies are there, what they are for and why you use them.
People can ask you to delete or provide a copy of their personal information. This is called a subject access request (SAR) and you’re obliged to respond within a month.
If there’s a serious personal data breach, you need to act quickly. You should contact ICO within 72 hours.
You may need to register with the ICO and pay a data protection fee. You can find out if you need to register by using their self-assessment tool.
Some businesses are required to appoint a data protection officer. This person is responsible for making sure data collection within the company is compliant with new GDPR legislation.
We hope that our simple guide to GDPR has shed some light on what can be a complicated topic.
It’s clear that GDPR is important for any small business. And not just so you swerve a hefty fine or legal action.
Customers are more likely to trust your website and your company when you look after their data. And when you’re honest about how you use it.
We can help make your business website more GDPR compliant. We can add an email marketing opt-in form, a privacy policy or cookie management functions. Our dev and design team can also craft a GDPR compliant website from scratch.
So whatever your website needs, get in touch with the friendly Radical team to chat about your project.
How to use content to boost your online presence: 6 tips
Getting started with email marketing: a step by step guide