Since it was applied on 25 May 2018, there’s been a lot of turmoil in the online business world because of the GDPR. Especially among sole business owners, there’s a lot of confusion about how to properly comply with it. In this article, I want to discuss GDPR compliance for micropreneurs and solopreneurs.
Can I Just Add A Pop-Up Or Extend The Cookies Warning And Call It A Day?
Unfortunately, not. The GDPR cannot be addressed by adding a new plugin or extending the cookies popup alone. It affects how your business or website works, how you collect information from your users or visitors, and how you manage it.
You will need to perform some tasks on your website, for sure. But also, you will need to take action on some other areas, some of them offline.
So What’s The GDPR, Anyway?
GDPR (General Data Protection Rule) is a new European regulation affecting all business owners that offer goods or services to subjects within the EU, or monitor the behavior of data subjects within the EU, regardless of whether these businesses are located.
In short, if your online business has users, customers or even visitors from the EU, you need to comply with it.
The GDPR includes a series of rules that are intended to safeguard the data protection rights of individuals. These rules affect how organizations collect, handle, process and
I Am A Micropreneur, Solopreneur, Or Small Business Owner, Do I Have To Comply With The GDPR?
Yes. The size of your business does not exempt you from complying with the GDPR.
It’s true that the new regulation explicitly acknowledges that small business have fewer resources, and the data they manage may not be that sensitive. Nonetheless, they are still required to adopt the necessary measures to be fully compliant.
One important area where small business owners enjoy certain flexibility is in the appointment of their DPO (Data Protection Officer), as we will see later in this article.
GDPR Compliance For Micropreneurs And Solopreneurs
In this section, I am going to explain from a very practical point of view, the steps needed to comply with the GDPR if you are a small business owner. This applies to you if you are a freelancer, blogger, e-commerce owner or entrepreneur with a business online.
Understanding The Data You Manage
The first question you need to ask yourself is what personal data your business is holding. Here, according to the GDPR, “data” is not only personal data (name, address, email…) of a person, but things such as the IP addresses, location, device identifiers, or even biometric data.
It’s also important to remember that it also includes not only the data you personally collect but also the data you are collecting with third-party services such as Google Analytics or MailChimp.
Thus, imagine that you have an online shop. Obviously, your purchase flow includes the billing information of the customer. Additionally, you have a newsletter with MailChimp, and use Google Analytics to track the traffic of your website. Finally, you have a chat plugin to offer customer support to your users.
Then, this is the data that you are probably managing:
- The personal data (name, address, age, gender, phone, email…) of your customers as part of their billing/shipping addresses.
- All cookies your site uses to identify, track, and offer services to your customers.
- All data you are collecting from your newsletter subscribers and incorporating into MailChimp.
- The data collected by Google Analytics for tracking purposes.
- And, of course, all data your chat plugin collects from your visitors.
Hopefully, you are using a payment gateway that tokenizes the payment information of your customers. As such, this information, given that it’s completely anonymized, won’t need to be specifically addressed.
Collaborators, Employees, VAs…
As a micropreneur or solopreneur, chances are you are the only one accessing the data of your customers.
However, if you work with collaborators, employees, or VAs that have access to it, they need to be aware of their responsibilities too. This implies informing them about the data your business manages from the users and customers and letting them know how you are preparing to comply with the new EU regulations. Your business is actually liable for their activities while managing data of your customers and users.
Your employees and collaborators are also required to understand the importance of the data they are handling, what constitutes a data breach (more on that later), and how to act in those situations. This means having a small meeting, informing them about your plans on how to comply with the GDPR.
You are also encouraged to promote a business culture where your employees are encouraged to inform about mistakes that might imply a security problem, instead of hiding them.
Get User Consent
One important aspect where the GDPR is a lot more strict than the previous Data Protection legislation is in regards to user’s consent.
With the GDPR, user consent must be explicit and unambiguous. What does that mean? In practice, it means that you should have checkboxes or other ways of requesting the users to authorize you to collect their data on every place where you are doing so. This consent cannot be pre-accepted, meaning that the checkbox cannot be checked by default.
Luckily, most professional tools that collect information about the users, such as MailChimp, have already adapted to this change. But let’s say that you have a comment section on your blog or a contact form. If any data is going to be collected there, there needs to be a checkbox -initially unchecked- so users can grant you permission for collecting it.
In a future post, I will talk about the best way of implementing all aspects of the GDPR on your blog, including consent.
For third-party tools, you need to make sure to enable the appropriate settings so they ask for consent.
One important aspect to consider is that previous consent is no longer valid. That means that consent needs to be gained retrospectively for existing customers again. The best way of doing that is sending an email to your users, visitors of customers asking them to revalidate their consent. This is a very polemic subject because it can actually affect negatively your mailing list. But if you want to be 100% GDPR compliant, you need to at least let users know that they can opt out anytime.
Presenting The Information So It’s Easy To Understand
Once you know what data you are collecting and who has access to it, you need to clearly specify that on your website.
Probably not a lot of people ever read an EULA (End user license agreement) or the terms and conditions for most online services we use. We just scroll to the bottom of the page and click on “Ok, whatever, just let me in“.
Because, apart from being super-long and boring, it’s written in a very complex legal language that’s hard to understand for most of us. The result is that we end up accepting some conditions we haven’t even read.
That’s about to change.
The GDPR requires you to present the information in a way that’s easy to understand by your customers, users, and visitors. That, depending on the content of such document, can be a challenge.
I have seen some very creative techniques for doing that in some sites. An example includes splitting the screen in two and writing down the long legal text on the right, and a short, human-friendly summary at the left, in a completely colloquial language.
The information to be presented needs to include the following:
- purpose: why you are collecting the data
- mechanism: the legal basis for collecting and processing this data (consent, contractual requirement…)
- recipients: any third-parties you are sending or sharing this data with apart from you
- time period: how long are you keeping the data
- rights: enumeration of rights of your users
Rights Of Data Access
Another critical part of the GDPR is the users’ right to access, modify or delete their data. This implies that, under the GDPR, any user of your online services or website can request a copy of the data you are collecting and managing from them. You are expected to be able to respond within one month to those requests.
Effectively, this implies that the user needs to have a way -preferably automatic- of retrieving this information, rectifying it, restricting further access to it, downloading and otherwise exporting it in a standard format, and deleting it if requested.
Two important notes here. First, a “standard format” for exporting needs to be something that can be processed by other IT systems. Sticking to standard file types such as Excel, CSV, PDF or similar is the safest and easiest way of doing so.
Second, “deleting” does not necessarily need to erase all data, it can “anonymize” it. That means that the data is there, but is no longer associated with any personal data of the user.
In a future post, I will talk about mechanisms for including this automatically on your blog.
Who Watch The Watchmen? You Do
If some suppliers or third-party organizations are processing personal data on your behalf, you are obliged to update your contract with them. Basically, you will need to add a series of clauses contained in this article of the GDPR. Most companies out there already do that, like MailChimp, Google, etc. So for those you probably won’t need to bother.
An example of a common situation for a micropreneur in which this applies is if you are an affiliate for a company through a private contract or agreement. If this affiliate is -and probably that’s the case- processing personal data of the leads you send them, make sure to have a conversation with them.
Similarly, if you act as a processor of information for other companies -i.e: that might be your business-, you would probably need to contact them and review the terms of your agreements.
Data Protection And Security
Under the GDPR, security and data protection of your users and customers become paramount for your online business or site. The GDPR regulations define it as “Data protection by design and by default“.
What does this mean? From a practical point of view, your tools, software, and website should be designed with data protection and security in mind. If you just have a blog or an online shop, HTTPS is strongly encouraged as a way of reducing the chances and importance of a penalty being applied in the event of a data breach.
With the new EU regulation, if your company manages data that is “likely to result in high risk to individuals”, you need to prepare a “Data protection impact assessment” plan. This “high risk” is not clearly defined, but it’s commonly accepted that any data capable of being potentially harmful for the user if leaked fits that description.
This plan should be included in a document, called the DPIA document. This document contains:
- a description of the data that’s being collected about the users
- how this data is managed
- how users can access, modify, limit future access or delete this data
- what are the possible threats that may cause a data breach of this data
- how your company, business or site will react when detecting such a breach
- measures to protect the information of your users, react to leaks or security intrusions, and channels to communicate them
This document should not be very hard to do for sole business owners.
The Data Protection Officer (DPO)
If your business manages large-scale monitoring activities or handles sensitive personal data, you need to appoint a DPO. The first scenario is not usually the case for sole business owners, but the second can happen if you are managing data such as:
- racial or ethnic origins
- political opinions, religious or philosophical beliefs, or trade-union membership
- genetic or biometric data for the purpose of uniquely identifying an individual
- data concerning health, sex life or sexual orientation
The DPO is in charge of elaborating the DPIA document and preparing a data protection strategy for your company or business, including a data leak contention mechanism and a policy for notifying data breaches to the supervisory authorities. Also, he will be in charge of notifying the relevant authorities.
What To Do In Case Of A Data Breach
According to article 33 of the GDPR, you need to notify any data breach to the supervisory authorities of your country in no more than 72 hours after you are aware of it. If you have appointed a DPO, it’s usually the one in charge of doing this. This data breach is not limited to digital information. You should consider any information leak, including offline documents.
This report should include:
- Description of the data breach, its scope, affected users, and type of data that was leaked
- The DPO -if you have appointed one- or contact person in charge of the communication with the authorities
- Consequences and possible damage to the affected parties
- Measures, both currently taken, and proposed, to deal with the data breach or mitigate its effects
- Possible future measures to avoid such data breaches in the future
You may be wondering if you need to comply with all of this as a micropreneur or solopreneur. Even if I expect some flexibility with small business owners on how to apply the GDPR, the fines for not complying with it can get -in the worst cases- up to 4% of your company’s global turnover or 20.000.000€ (whichever is higher).
TO-DO List For GDPR Compliance
So, I think that just a small amount of work can save you from some headaches later. Here’s a GDPR compliance checklist for micropreneurs and solopreneurs:
- Understand what data you are collecting from your users, directly or by third parties
- [If you have employees or VAs that have access to the data]: have a GDPR meeting with them
- [If you are dealing with data likely to result in high risk for your users]: elaborate the DPIA document
- [If you are dealing with sensitive personal data]: appoint a DPO
- Ensure user consent for users on your mailing list, newsletter or CRM
- Make sure other parties processing data on your behalf are fully compliant too
- Modify your website to reflect this new compliance with GDPR:
- Install an HTTPS certificate on your site
- Allow users to access their data, download it, modify it, or delete it
- Make sure to address third-party plugins and tools you are using on your website (Google Analytics, MailChimp, Support Chats, etc…)
- Adapt your comments and contact forms to include explicit, unambiguous consent
- Watch for non-compliant tools you are using
Need Some Help?
I will build an article in the future on things to do to make your blog GDPR friendly, but if you want someone to make your website fully GDPR compliant, let me know.
Additionally, I worked in computer security for 7 years and can be the DPO for your small business, build a DPIA document or prepare the Data Protection Plan. If interested, just contact me.
There’s a lot of confusion on what you, as a sole business owner, should do to comply with the new EU regulations for data protection. In this post, I talk about GDPR compliance for micropreneurs and solopreneurs.