GDPR for small business – where on earth do you start? Many small firms are worried about complying with European Union’s General Data Protection Regulation (GDPR). You might have seen the GDPR headlines, the frightening fines and all the consultants who have suddenly appeared offering to guide everyone through the European Union’s GDPR maze.
(Updated: August 1, 2020) With the cancellation of the Privacy Shield agreement, which protected EU companies when using U.S. based services, you need to essentially stop any non European services if you want to be fully compliant with GDPR.
When talking about the GDPR for small business, what are the perils and pitfalls when trying to comply with GDPR? We have you covered – answering most questions that small businesses who collect email addresses might need to address.
(Now, we’re not lawyers so we strongly advise you to also get legal advice for your own business to ensure your company and web site is GDPR-compliant.)
Checklist – staying GDPR-compliant collecting personal information with a quiz
We created this checklist to help demystify the GDPR for small business. The good news is that it’s fairly straightforward to collect personal information from quiz takers – you just need to be clear, transparent, and also choose the right quiz maker.
This is our blog – so we’ll mention how we comply, but you can also ask the same questions of any other quiz builder.
| Check | Riddle Setup |
|---|---|
| All data hosted in Europe | Riddle is hosting all data in a banking grade, secure data center in Frankfurt / Germany with backups in Luxembourg. Riddle operates its own server infrastructure and is not hosting on AWS or Google Cloud, which are not GDPR compliant after the cancellation of the Privacy Shield Agreement. |
| No Trackers | Riddle by default does not track users in the quiz embeds. We only store a necessary session cookie which does not hold any personal information. Be careful though when adding Youtube or Twitter content to Riddle. These services add their own trackers. |
| Lead Storage | Choose to store the data on the Riddle servers to be compliant. Riddle encrypts all lead form data and stores it in your personal area on its servers - only accessible by yourself. You have full control to also find individual emails and safely delete them if required. Optionally, use our webhook to send data to your own secure and compliant servers. |
| Notifications and opt-in | When storing data on Riddles servers, we add a notification with links to our privacy policy to the form. Leave this in place or optionally replace it with your own privacy notice. Also, always use our double-opt-in feature to only store data after getting express consent from end users |
| Permission to collect quiz data | When setting up the form, enable the checkbox to ask for the user's permission to store quiz data along with the form data. If you add this checkbox, we will only store quiz data after getting the user's consent. |
What changes have been caused by GDPR for small business?
The good news? There is not a huge amount of change. Personal data in Europe was previously protected by the EU 1995 Data Protection Directive. This is now being brought up to date to reflect the large increase in personal data that is collected and stored by companies.
To put this into perspective, email was only just starting to become popular in 1995. And MySpace (remember them?)… they didn’t arrive until 2004, before Facebook took over after 2008 to start running the world.
We already mentioned this above, but it deserves repeating. The US-EU Privacy Shield is no longer valid.
You should basically stop using any non-European online tools if you want to be complying fully with the EU’s GDPR. That means popular services like Google Analytics, Intercom, Amazon Web Services (AWS) – the list goes on.
(This is a HUGE ruling – and the impacts are going to be felt far and wide, well beyond the borders of the EU.
With all of this constant changing, online marketing has actually gone full circle to its roots back in 1995, where email marketing and newsletters took off. This was followed by a massive push to grow your social media presence on Facebook and other social networks. But with Facebook’s recent newsfeed algorithm changes, a Facebook page is only really useful if you pay to advertise it. And there you have it – small businesses are back to creating and maintaining the tried and true email subscription list.
GDPR for small business is critical – if you combine email marketing with the newest online lead generation tools.
GDPR – do I need to comply?
If you hold data about your customers – even something as basic an email list – you have to comply with GDPR. The same applies if you’re a start up, a charity or if you’re just doing something for a hobby.
The bottom line? If you have other people’s personal information, you should comply – just to be safe.
But my small business is not even in Europe!
The GDPR applies to any company worldwide – who is collecting data from people in the European Union. For example, if your American company has newsletter subscribers who live in Europe, you will need to comply to GDPR. It also applies if you store data in the European Union.
Will my small business be hit with a €20 million fine?
When talking about the GDPR for small business, the fines are certainly scary. The highest possible GDPR fines are €20 million or four per cent of a firm’s global revenue (whichever is greater). Definitely not something to be sneezed at!
Now sure, it is unlikely that a small business is going to be hit with GDPR fines of this order unless there is a very serious breach of data protection. But that’s no reason to take this lightly – ignoring it and hoping for the best will not be a valid excuse. So let’s take a look at what you need to do under the GDPR for small business to protect yourself and your customers.
GDPR for small business – how can I safely collect data in future?
A good first step to complying to GDPR is to check that your data gathering tools are right for the job.
Let’s start with the classic example – collecting email addresses for your sales newsletter. We’ve all experienced receiving a newsletter we never signed up for. Annoyed, you open it and scroll through the contents (only to find that 99% of the time, it’s not even relevant to you) to see who sent it. How did they find you? At the very end you notice a cheeky caption: “I’m sending this newsletter to you because we are connected on LinkedIn”.
In this GDPR for small business landscape, the blanket use of data is not acceptable. The user has to explicitly know when they are in the process of signing up to your newsletter. Signing them up merely because you’re connected on LinkedIn or in the same Facebook group will get you into trouble.
Sure, this is overall thought to be a good idea – but how do you grow your newsletter list quickly in this post-GPDR world?
GDPR for small business: growing your newsletter list with quizzes
You won’t be surprised to hear this – reading this article on a quiz maker’s blog site – but quizzes are a fantastic way for small businesses to grow their newsletter subscriber list. Whether it’s a pop quiz or a personality test, the user is personally invested in the answers they provide – which translates to excellent response rates. We have found that up to 35% of quiz takers will opt-in to further marketing communications about anything related to the quiz.
This isn’t being sneaky or brewing up another version of the Facebook and Cambridge Analytica scandal. It is just effective marketing. The key is to use a GDPR compliant quiz maker like, (you guessed it!) Riddle.
Be careful. Some (very famous) quiz maker sites collect personal data from their clients’ sites without permission – you can see our boss’ rant about this here.
But the bottom line? Riddle doesn’t gather specific personal information in quizzes unless the user choose to fill in an in-quiz lead form.
GDPR for small business – where is your quiz data stored?
A key component about the GDPR has to do with data storage.
With Riddle, the overall data from your quizzes (such as total responses) is stored in your own private web space on the Riddle site. This in turn is hosted on servers in Germany, so all the data is held in Europe. Most of the data you are collecting through our lead generation forms is also stored in your own private web space. This storage is GDPR-compliant.
If you decide to include a lead generation form so people can sign up to your newsletter, you’re moving from an anonymous quiz experience towards collecting personal information. And that’s okay – Riddle is built to comply with the GDPR for small business clients.
You can use Riddle’s drag/drop form builder to quickly build an in-quiz form, collecting information such as ‘Person A answered questions 1, 2, 3 for Quiz 11343 in this order’. This type of data needs to be stored outside of Riddle using a tool in a way that is GDPR-compliant, including:
- Google Documents: you can send all lead data from your quiz directly to your Google Spreadsheet. It never goes to Riddle’s servers, so you’re fully GDPR-compliant.
- DropBox: similar to Google, pipe all quiz data to your DropBox account so it never reaches Riddle – making your GDPR-compliance even easier.
- Zapier: Our quiz maker system easily connects to 1000+ of the main email marketing tools out there, from HubSpot to Active Campaign. Automate sending personalized emails – so each lead will get an email based on their quiz responses. The person signing up just needs to have clear information about what they are subscribing or agreeing to as set out in the GDPR guidelines.
- Riddle’s servers: if you don’t have a Google or DropBox account, you can save this information to Riddle’s servers. We include standard text for your lead form to tell your audience that Riddle will be storing their information (and why). This article on our GDPR-compliant quiz maker explains all the details.
Qualify leads safely with quizzes
You can easily use quizzes to qualify your sales leads. Imagine you have an online shop that sells hiking equipment. Step 1? Write a personality test along the lines of “What’s your hiking wanderlust style?” and create three personality types: Extreme Hiker; Fair Weather Hiker and Urban Hiker. Step 2? You can then send targeted emails to the different types – for better conversions and sales.
Your ‘Extreme Hiker’ is going to be interested in high-end equipment – to inspire them to try their next bold adventures.
The ‘Fair Weather Hiker’ is more likely to be interested in mid-range hiking equipment – based on comfort over advanced technical features.
The ‘Urban Hiker’ is more fashion-focused – wanting designer hiking boots or that killer jacket to meet up with friends at the bar.
Clever, right? Not a bad return from trying to conform to a new legislation! And all done with complying with the GDPR for small business – without compromising consumer data or tricking the customer.
GDPR tips about collecting email addresses
Any blog worth their salt these days will greet you with the inevitable pop up email sign up box. You’ll also see a strong call to action somewhere in the blog to sign up to a newsletter for a special deal.
For the GDPR, you need to ensure that consent is a clear and affirmative opt-in action such as:
“Enter your email address to sign up for our newsletter”
Now, in practice, people generally need an incentive to sign up, so it might read along the lines of:
“Enter your email address for your free ebook and to sign up for our newsletter”
That’s half of the process. The other step – you need to make clear to the user what you intend to do with their email address or information. This is usually done via a link to your privacy policy just below the sign up box.
GDPR for small businesses – issues to avoid
We’ve all been faced with confusing opt-in check boxes that require careful reading before we can work out if we are checking the box to accept the offer, or to decline it. (An infamous example? “If you do not not want to be receive messages from our partners, do not tick the box.” A head-scratching triple negative!)
The GDPR puts an end to confusing practices like these. You cannot bundle an option in with other services either, or use the data you have collected for anything other than a specifically identified purpose.
For example, you visit a site about mindfulness to give you some respite from the hassles of dealing with GDPR legislation. You decide to sign up for a daily message to help with your mindfulness. The sign up box says something along the lines of:
“Sign up here to receive our daily mindfulness blessing”
You are not signing up to receive special offers for mindfulness training from recommended third parties, because that is not mentioned in the email sign up text. If the mindfulness web site offers this service, they need to have a separate checkbox for this.
You’ll see this sort of thing when you are buying a product or service online. Most sites will want to add you to their promotional email list, and maybe their third party list.
To return to our hiking example, if you buy a pair of boots they will probably want you to sign up to their newsletter. This will have to be done on a separate check box. They cannot hide text stating that by purchasing the item you are signing up to their newsletter in the small print on their web site.
The GDPR also bans pre-ticked boxes for opt ins. You can’t ask a user to uncheck a box if they don’t want to receive information from you. The user must make a clear action to sign up for something, not to avoid receiving something.
Running A/B tests or tracking email open rates? You need to tell people.
Many savvy marketers know you can enhance the effectiveness of your email marketing campaign by tracking email opening rates – then sending different themed emails according to which messages the user previously opened. However, to conform to GDPR, you would need to tell your subscribers you are using these tactics and give them an option to opt out or unsubscribe.
Do I need double opt-in to conform to the GDPR for small business?
No.
Whew – now that’s an unexpected answer! While you need to be able to show that users have a clear and affirmative opt-in action, but you don’t need a double-opt in system to conform to GDPR.
Is double opt-in recommended?
We’re big fans.
After all, using a double opt-in system with clear, concise messaging means you will probably have most of the GDPR requirements covered. Double opt-in also lets you know the email address is current and the user is actively interested in hearing from you.
One final bonus? Your confirmation message is can be used as a marketing opportunity to bring the users back to the your web site.
What should I do when people choose to opt out?
All your communications must contain clear instructions and a simple way of stopping further messages from you. It must be as easy to unsubscribe as it was to subscribe so this will usually involve checking a box.
It’s worth stressing that if a customer asks to be removed from your system you need to do exactly that. You can’t ever keep their information in your system – even if you are no longer sending them your email newsletter.
Do I need to re-confirm my whole list for GDPR?
This depends on how you collected your email addresses in the first place. The good news is that there is no need to re-confirm your list if you can demonstrate that you used a clear, concise message about your service in your sign up process.
Not sure that all your sign ups were achieved this way? In that case, it would be wise to re-confirm your list.
As a side note, there is a difference in opinion of whether re-confirming is a beneficial activity in terms of removing dead wood from your email list. True, the process of re-confirming your list will lose you some subscribers. On the plus side, if you lose a lot of people who were not reading your newsletter anyway, you could end up paying lower monthly fees from your email marketing tool. The downside? You might lose some sales from long-lost subscribers who rarely read your messages but read your message down the road and end up buying something.
Pro tip: If you’re going to re-confirm your subscribers, we recommend doing it now while the big companies are doing it.
It shows your customers you take their rights seriously, and you will also end up with a concentrated list of active subscribers.
Can I sell my email list to other companies?
You can only sell or share your list to third parties if the customers have expressly agreed for their information to be used in this way.
Can I still send one-off sales emails to people?
Yes!
The GDPR doesn’t ban you from emailing people. Our hypothetical hiking company can email a customer after a sale to follow up with them. However, it has to be within a reasonable time frame and it has to focused on what they customer bought. You’re asking for trouble if it looks like a generic automated email.
The hiking company can also contact random potential customers. For example, the hiking company might read an article on the health benefits of hiking that has an email contact address for the author. The hiking company can email the author to comment on the article and tell them a bit about their business. They can even ask if she wants to receive their newsletter.
However, they cannot add her email address to their newsletter subscription just because they know she is interested in hiking!
What if they have given me their business card?
This is a common concern for owners seeking to navigate the GDPR for small business. In this case, you can contact them to follow up on your discussion and ask if they are interested in receiving your newsletter. Of course, you won’t be surprised to hear that you need a clear opt in message on your email.
Another no-no? You can’t go through business cards after a networking event and add everyone to your newsletter subscription.
One exception? You can set up a box for people to drop their business card into if they want to receive your newsletter or special offer. The bottom line – the information about this activity has to be… come on, you can guess it… clear and concise. You can’t ask for people’s business cards to enter them into a competition and then add their details to your database without telling them.
However, you can also add their details if they have given clear verbal consent. So in a business breakfast networking event, you can exchange business cards with the man opposite who has just dribbled egg on his tie – then ask him if he wants to be put on your business newsletter. If he says yes, you can add his name and email address to your system.
It would however, be smart to add a note in your database on when and where you met the person.
GDPR for small business – B2B and B2C communications
There is a subtle difference here that often overlaps.
For B2B (Business to business) communications, the emails should be directed at the person’s role in a business – not the specific person (for example, marketing@hikingforall.com).
It becomes B2C (Business to Consumer) if you know the name of the person involved and send it to their personal address at the company (christopher.walking@hikingforall.com). This is firmly covered by GDPR as you are contacting an individual.
There’s a funny joke going round that sums this up:
A: “Do you know a good GDPR consultant”
B: “Yes.”
A: “Great! Can you give me his email?”
B: “No.”
Will GDPR stop spam email?
Alas, no.
You will still receive emails (that hopefully caught by your spam folder) from beautiful women who have fallen in love with you even though they have never seen you, from people who are desperate to make you rich with Bitcoin, and all those other scams. This is because spammers don’t follow the rules anyway.
The good news is that you should receive fewer emails from legitimate organisations because of the need to expressly agree to receive sales emails etc. Now is a good time to clear out your own email inbox – and unsubscribe from companies you aren’t interested in any longer.
GDPR for small business – keeping and maintaining personal data
As we discussed earlier about using quizzes for lead generation, Riddle offers GDPR-compliant options for storing personal data. There are also lots of services like MailChimp that help you maintain your email address database.
For each software vendor you use, you need to be sure that they comply to GDPR. You also need to use them in a way that complies with GDPR. After all, you’re responsible for due diligence with your suppliers. These companies should tell you what they do and don’t do. As an example, here’s some information from MailChimp.
What is the difference between personal and sensitive personal data?
Personal data – anything that allows a living person to be directly or indirectly identified. This includes name, address, or IP address. Note: it also now includes data from a pseudonym if a person can be identified from it.
Sensitive personal data – sexual orientation, racial information, political beliefs, trade union membership and religious beliefs.
Does the personal data of European people need to stay in the EU?
Erm, yes and no.
Personal data leaving the EU has not been disallowed, but it does create some sticky issues that might happen in a number of unforeseen ways.For example, your data could be stored in an non-EU-based cloud service, or sent to a marketing service or employee outside of the EU. You might also need to re-look at what information you track using services like Google Analytics as data as simple as an IP address is now classed because personal data (even if you are not using it directly). This article on GDPR Compliance with Google Analytics give a good summary of steps to take.
If this is the case, the user must be informed before they opt-in that it may be transferred outside the EU. They also have to be given the chance to reject the transfer.
One other wrinkle? As the UK is in the process of leaving the EU, it is not yet clear whether their data policy will meet the EU policy after they leave. Theoretically, this will be announced when the UK actually leaves the EU on the 29th March 2019 – but this timelien might slip depending on the pace of Brexit negotiations.
Tell people what personal data you are storing – and delete it on request
This is another big change. If a consumer asks what data you have about them – you have 30 days to tell them. So not only do you have send them this information but you have to be able to find it!
This is not a trivial task – so be sure to check that your tech infrastructure allows this.
The same applies if they ask you to delete their data.
GDPR for small business – your data needs to be secure
There have been lots of high profile data breaches in recent years. You need to take steps to ensure the data you hold is as safe as possible from hacking or theft. If your data hasbeen breached, it must be reported to your country’s data protection regulator within 72 hours.
If your company has more than 250 employees, there needs to documentation giving descriptions of the information that is held by the company, why information is being collected and processed, how long the information is retained and the technical security issues in place to protect the information.
More information on GDPR for small business
The I.C.O. (Information Commissioner’s Office for the UK) Guide to GDPR