GDPR Checklist for Small Creative Businesses
There has been so much surrounding GDPR it can be confusing as to what you, as a small business, really has to do. I have answered some frequently asked questions before I start the GDPR checklist which I hope help make things a bit clearer.
What is GDPR?
The General Data Protection Regulation, or GDPR, is a European privacy law which will come into effect on May 25, 2018. The GDPR regulates how individuals and organisations may collect, use, and retain personal data, which affects you as small business owners.
In a nutshell, GDPR is all about your data, how you have obtained your data, what you keep, where you keep it and what you do with it. Thinking of only these things will make it much simpler to know what GDPR is and if you are doing the right thing.
The main thing about this new ruling, is transparency. Letting people know what data we have on them, how we got it, where we store it and what we do with it.
Does it actually affect me?
If you think GDPR doesn’t affect you as a small business, think again. If you hold any data on anyone, whether that is email addresses, phone number or even just a name then you need to think about how you handle this data.
What constitutes as data?
Anything where you can identify that person - whether that is a name, email address, photograph, IP address or credit card information. Anything you hold on that person that identifies them in anyway.
Where do you keep data?
Think of everywhere you may store a name, email address or IP address etc - these tools, apps and platforms will all have to be GDPR compliant too. (If you are currently not using any sort of email marketing system or CRM (Customer Relationship Management) database, I would recommend that you do - but that is for another time!)
These could be
Email marketing systems e.g. MailChimp or MailerLite
Cloud based storage systems e.g. GDrive, One Drive, Dropbox
CRM systems e.g. Hubspot or Zoho
Accounting software e.g. Xero, Clearbooks or Pandle
Payment platforms e.g. Paypal or Stripe
Website hosting platform e.g. Squarespace, Wix, Go Daddy or 1to1
Analytics tools e.g. Google Analytics* or Hotjar*
Social Media e.g. Facebook for Facebook Ads*
Chat tools e.g Zopim, Tidio
*you only need to comply your end if this data is recognisable to you - in most cases with analytics tools or audience choice for Facebook ads, you are not actually given the exact data yourself and therefore cannot identify the individuals (e.g. you may know you have had 100 people look at your website, but you don’t know who they are). In this case you will need to make sure the third party are GDPR compliant as they are storing/in charge of that data.
I am not quite ready yet will I get fined?
I cannot say whether you will or won’t - I just don’t know, but realistically come May 26th you are not going to have the GDPR police knocking on your door. But what could happen is that someone may complain about you if you are not compliant, and if you cannot prove that they have lawfully signed up to receive your newsletters (for example via consent), under the new GDPR policies then it starts to become a bit more of a pain for you, and then you could find yourself in a bit of trouble! There is still plenty of time to make sure you are compliant by the deadline of 25 May.
So do I have to ask my whole email list to re-opt in?
Maybe. Consent is only one of the reasons as to why you are lawfully holding data. The reason consent is the reason we hear most about it is that it is a lot easier to manage and prove going forward - and is actually just good practice.
For past customers the reason they do not necessarily need to opt-in again is that they can be covered under Legitimate Interest. Unlike Consent, this one is a lot more open to interpretation and opinion, one person’s legitimate interest can be another ones spamming, so it is always best to think of how you would want to receive email newsletters, and if you would be happy to receive such emails (content and frequency) chances are others will be too. Here are some guidelines from the ICO about Legitimate Interest which may be helpful.
But chances are you will have to get your mailing list or most of your mailing list to re-opt in again, but don’t think of it as a bad thing - it is always good to have a bit of an admin spring clean – yes, you may lose some subscribers - but if they are not interested to read your emails or re-opt in then they are not your ideal client, and probably would never buy from you anyway. It is much better to have a smaller list with everyone on that list really engaged and loving what you do, then a huge list where only 10% of people are opening your emails. As with everything it is always quality over quantity.
My GDPR Checklist
Here is my GDPR checklist on the things you should be thinking about when it comes to becoming GDPR compliant as a small business owner.
1) Firstly grab yourself a cup of tea, or perhaps a glass of wine(!) and have a think about the journey of your data - in the beginning where do you receive it from, what happens to it once you receive it, where do you keep it, what do you do with it - this will make things much clearer in your head. Make a list/ diagram so you can see your data journey and be clear about what happens at every stage.
3) Have you checked all your data processors (email marketing systems, accountants, accounting software, CRM, website hosting system, etc) are all GDPR compliant too? Good news is that most of them are - MailChimp, MailerLite, Squarespace, Google Analytics etc are, but do check with them. Also just because they are, doesn't mean that you automatically are, you will still need to follow procedures too.
6) Have you created positive opt-ins for your new sign ups? Gone are the days of the double negative tick boxes, opt-outs or pre ticked boxes. Now every subscriber to your mailing list (in whatever way they decided to sign up) need to have opted in - just a sign up button is not enough either.
You do this is by
a) Having a tick box. Someone has to tick to say they want to receive emails from you - you also need to state what will happen once they do. If someone signs up but doesn't tick the box, then they are not added to your email list and you cannot email them.
b) You can use a double opt in which means that once someone has signed up, they will then receive an automated email which then asks them to confirm that they do want to be added to your mailing list. They then click on an opt in button in this email. If someone signs up but doesn't opt in again via the email, then they are not added to your email list and you cannot email them.
*Remember to do this for all data capture forms whether they are on your website, a landing page, or pop up on your site so that they include relevant information for the tick box or double opt in.
7) Do you share data with third parties? If you share data with other businesses or organisations, this will have to be a separate opt in - in which case you will have a tick box for receiving your content and another opt in for allowing their data to be shared. So they can opt in for one and not the other should they wish to.
8) Are you explaining what they will receive if someone was to sign up? - This is where transparency comes into play. You cannot simply say ‘click here to receive my newsletter’, elaborate - something like “I’d also like to receive further value added emails about this subject together with details about your goods and services.” or "By ticking here, I agree that I would also like to receive your follow-up emails about goods and services that I might be interested in”. This also relates to your lead magnets (freebie downloads) - these now will have to state that they will be going on your general mailing list and they will receive xyz.
10) Email your current mailing list to ask them to re-opt in. If you use MailChimp or MailerLite then they both have a template ready that you can use (I am sure other email marketing systems will do the same too). In both templates they have an opt-in or and opt-out button, so if you are creating your own make sure you have this option too, not just an opt-in button. Having the choice of yes or no means that you are giving your subscribers a decision, and that decision is normally a positive one (ie they re-opt in) whereas if you give an option to opt in or nothing, people don’t like making decisions so they will prefer to do nothing. Once they have clicked on these buttons from the templates, MailChimp or MailerLite will automatically move them into a GDPR compliant list - so you don’t have to, which is very handy. N.B. If people do nothing they are still considered not to have opted in and will have to be removed from your list.
11) You don’t only need to email this re-opt in email once! You can email as many times as you want (obviously within reason - you don’t want to harass your poor email subscribers) until May 25th. If you haven’t emailed your mailing list much recently, try to send a few emails showing your current subscribers your wonderful content and what they will get from you should they stay, they are then more likely to stay on your list, rather than a random email out of the blue.
12) In your re-opt in email (point 9) state what they will be opting in for - this both helps with being transparent, but also it can encourage them to stay as they can see what they will be missing out on. Remember to also state this in your double opt in email or opt in tick box to brand new subscribers.
13) Make sure someone can unsubscribe easily from your emails - it is the law to have an unsubscribe button in all your emails - if you use an email marketing system this is normally automatically included - but do check.
14) Finally, Is your data encrypted? If you store data on spreadsheets or word documents - make sure if anyone came across them they wouldn’t be able to access them, for example if your computer or phone was stolen.
Handy GDPR Resources
GDPR Facebook Group - I also recommend joining small business lawyer Suzanne Dibble’s Facebook Group for more advice about GDPR compliance.
GDPR Guidelines - For further information about the new GDPR guidelines visit the ICO website
I hope that helps and makes things clearer about what you need to do as a small business - if you still have any questions about GDPR then do comment below and I will see if I can help :)
This blog post reflects the steps that I am taking based on my current understanding of the GDPR. It represents my interpretation of guidance made available by the Information Commissioner’s Office (ICO). Following the information in this blog post alone will not guarantee your compliance and you are strongly advised to do your own research into GDPR and what it means for your individual circumstances.