GDPR for small business – where on earth do you start?
Many small firms are worried about complying with the European Union’s General Data Protection Regulation (GDPR). You might have seen the GDPR headlines, the frightening fines, and all the high-paid consultants who have suddenly appeared offering to guide everyone through the European Union’s GDPR maze.
(Updated: August 1, 2020) With the cancellation of the Privacy Shield agreement, which protected EU companies when using U.S. based services, you need to essentially stop any non-European services if you want to be fully compliant regarding the GDPR for small business.
A typical reaction might be to simply ignore the matter and risk being caught.
There are, however, severe fines and also most likely a lot of backlash with your customers if you are caught operating a non-GDPR-compliant service. Check out this list of businesses being fined up to 50 million euros for GDPR breaches.
Even if the cost of the GDPR fine doesn’t put you off, the work and cost involved in the process of:
- answering to the data protection authorities
- deploying fixes
- communicating with your customers and more
All of this could easily bankrupt your business.
The best way to avoid the risk? Select tools and service providers that are helping you to become GDPR-compliant versus going with a more inexpensive solution that leaves you vulnerable.
The definition of data processing
Data processing sounds like a pretty hazy term, right? Let’s get in to specifics – especially relating to the GDPR for small business.
Business owners can think of it this way: everything you do that touches any of your customers’ personal data fall under data processing. This might include gathering, recording, or deleting personal data.
Personal data is more than you might initially think. It includes obvious information such as a person’s name, address, and email but even things like an IP address, account information, or bank details.
Data accountability and the DPA
A big push behind the GDPR was the idea of data accountability. If you are performing any action with any EU citizen’s personal data as a business, you have to comply with GDPR. Yup – that means even if you’re based in the United States or some other country, you are legally liable how you handle your EU site visitors’ information.
The GDPR uses something called a data processing agreement – to formally define the relationship between the data processor and the data controller. For example, if you’re using Riddle’s quiz maker tools, you would be the data controller – and we would be the data processor [download Riddle’s data processing agreement (DPA) here].
It’s critical that you complete a DPA with any service that processes your data. For example, at Riddle, we have data processing agreements in place with all our software vendors – including payment, customer support, and so on.
Checklist – maintaining GDPR compliance collecting emails and personal information with a quiz
Okay – we know there are most folks have a lot of questions around the GDPR for small business.
We created this handy checklist to help demystify the GDPR for small business. The good news is that it’s still fairly straightforward to collect personal information from quiz takers – you just need to be clear, transparent and choose a GDPR-compliant quiz maker.
Obligatory disclaimer: We’re definitely not lawyers. We strongly advise you to also get legal advice to ensure your company and website are GDPR-compliant.
Right, as this is Riddle’s blog – so we’ll mention how we comply, but you can also ask the same questions of any other quiz builder.
- Be transparent – Always ask for consent and permission when collecting personal data with a checkbox saying ‘yes, I agree’.
- Riddle’s quiz maker form builder has all the tools to allow you to do that.
- Avoid cloud data storage, and store your data in the EU – Cloud data storage is tricky. Most companies like Google and AWS are US-owned.
- All of Riddle’s servers are 100% in the EU – based Germany and Luxembourg.
- Use double-opt-in when collecting emails – DOI gives each lead the chance to confirm they want you to hold their data. Riddle offers that feature out of the box.
- Many CRM tools like MailChimp and Active Campaign have this feature as well – we highly recommend you turn this on.
- Easily find/delete personal data – A key requirement of the GDPR is the ‘right to be forgotten’. Any of your customers or leads can ask you delete all of their personal data – it’s important that you store your data or use tools that make this easy to do.
- Riddle allows you to search for lead form data stored and delete all data associated to an email that you might have collected at some point of time.
- No trackers or cookies – Trackers and cookies are almost always bad in terms of GDPR for small business, because they collect personal data without permission.
- Use a tracker-free quiz builder (like Riddle) so no cookies or trackers to your website.
What changes have been caused by GDPR for small business?
Personal data in Europe was previously protected by the EU 1995 Data Protection Directive.
That directive has been going on 25 years now – that’s an eternity in internet time.
The GDPR was introduced to reflect the large increase in personal data that is collected and stored by companies.
To put this into perspective:
- Email was only just starting to become popular in 1995.
- And MySpace (remember them?)… they didn’t arrive until 2004.
- Facebook didn’t even start until 2008 – 12 short years ago.
We already mentioned this above, but it deserves repeating.
You should stop using any non-European online tools if you want to be complying fully with the EU’s GDPR.
That means popular services like Google Analytics, Intercom, Amazon Web Services (AWS) – the list goes on. It’s a painful but smart decision in terms of looking at GDPR for small business.
(This invalidation of the EU/US Privacy Shield is a HUGE ruling – the impacts are going to be felt far and wide, well beyond the borders of the EU.)
Online marketing – back to the (email) basics
With all of these constant changes, online marketing has actually gone full circle to its roots back in 1995, where email marketing and newsletters first took off.
Sure, in the mid-2000s, there was a massive push to grow your social media presence on Facebook and other social networks. But marketers are turning back to the ol’ reliable email list.
Social networks keep changing their newsfeed algorithms, so it’s more and more difficult to reach an audience.
And there you have it – small firms are back to growing their tried and true email marketing lists. That’s where GDPR for small business comes in – you need to be safe, especially if you combine email marketing with the newest online lead generation tools like quizzes.
> GDPR collecting email addresses – do I need to comply?
If you hold data about your customers – even something as basic as an email list – you have to comply with GDPR. The same applies if you’re a start-up, a charity or if you’re just doing something for a hobby.
The bottom line? If you have other people’s personal information, you should comply – just to be safe.
> But my small business is not even in Europe!
The GDPR applies to any company worldwide – who is collecting data from people in the European Union.
For example, if you’re an American company who has newsletter subscribers who live in Europe, you will need to comply with GDPR. It also applies if you store data in the European Union.
> Will my small business be hit with a €20 million fine?
When talking about the GDPR for small businesses, the fines are certainly scary. GDPR fines can reach up to €20 million or four percent of a firm’s global revenue (whichever is greater). Definitely not something to be sneezed at!
Now sure, it is unlikely that a small business is going to be hit with GDPR fines of this order unless there is a very serious breach of data protection.
But that’s no reason to take this lightly – ignoring it and hoping for the best will not be a valid excuse.
> How can I collect data in the future?
A good first step to complying with GDPR is to check that your data gathering tools are right for the job.
Let’s start with the classic ‘how not to do it’ example – collecting email addresses for your sales newsletter.
- We’ve all experienced receiving a newsletter we never signed up for.
- Annoyed, you open it and scroll through the contents (only to find that 99% of the time, it’s not even relevant to you) to see who sent it.
- How did they find you? At the very end, you notice a cheeky caption: “I’m sending this newsletter to you because we are connected on LinkedIn”.
In this GDPR for small business landscape, this blanket use of data is not acceptable. The user has to explicitly know they are signing up for your newsletter. Signing them up merely because you’re connected on LinkedIn or you’re in the same Facebook group will get you into trouble.
Check out this lead form from one of Riddle’s quizzes – with the clear opt-in checkbox for each lead:
Quizzes – safely supercharge your newsletter list
The good news? Quizzes are a super effective (and transparent) way to get people to opt-in to your email marketing list.
You won’t be surprised to hear this (reading this article on a quiz maker’s blog site after all) – but quizzes are a fantastic way for small businesses to grow their newsletter subscriber list.
Whether it’s a pop quiz or a personality test, the user is personally invested in the answers they provide – which translates to excellent response rates. Quizzes get up to 35-40% of all quiz takers who say ‘yes’ to get more emails from you.
This isn’t being sneaky or brewing up another version of the Facebook and Cambridge Analytica scandal. It is just effective marketing. The key is to use a GDPR-compliant quiz maker like, (you guessed it!) Riddle.
Be careful. Some (very famous) quiz maker sites collect personal data from their clients’ sites without permission – you can see our founder Boris’ rant about this here.
But the bottom line? Riddle doesn’t do that – we only gather specific personal information in quizzes if your quiz taker chooses to fill in an in-quiz lead form.
Where is your quiz data stored?
A key component of the GDPR has to do with data storage and who got access to your data.
With Riddle, the overall data from your quizzes (such as total responses) is stored in your own private webspace on the Riddle site. This in turn is hosted on servers in Germany in a banking grade data center with backup servers in Luxemburg, so all the data is held in Europe. Most of the data you are collecting through our lead generation forms is also stored in your own private webspace. This storage is GDPR-compliant.
If you decide to include a lead generation form so people can sign up for your newsletter, you’re moving from an anonymous quiz experience towards collecting personal information. And that’s okay – Riddle is built to comply with the GDPR for small business clients.
You can use Riddle’s drag/drop form builder to quickly build an in-quiz lead form, collecting information such as ‘Person A answered questions 1, 2, 3 for Quiz 11343 in this order’. This type of data can safely be stored – either:
- On the Riddle servers (using our ‘Save to Riddle’ option) in your own private webspace as Riddle encrypts all personal identifiable information
- Store the data outside Riddle using any GDPR-compliant tool, including MailChimp, AWeber, ActiveCampaign, Google Sheets or your own data warehouse using our webhook.
Qualify leads safely with quizzes
You can easily use quizzes to qualify your sales leads. Personality tests are excellent for this use case, in particular.
Imagine you have an online shop that sells hiking equipment.
- Write a personality test along the lines of “What’s your hiking wanderlust style?” and create three personality types: Extreme Hiker; Fair Weather Hiker and Urban Hiker.
- You can then send targeted emails to the different types – for better conversions and sales.
Let’s look at some possible result types – designed to segment your quiz takers so you can recommend the right products:
- Your ‘Extreme Hiker’ is going to be interested in high-end equipment – to inspire them to try their next bold adventures.
- The ‘Fair Weather Hiker’ is more likely to be interested in mid-range hiking equipment – based on comfort over advanced technical features.
- The ‘Urban Hiker’ is more fashion-focused – wanting designer hiking boots or that killer jacket to meet up with friends at the bar.
Not a bad return from trying to conform to a new legislation! And this approach complies with GDPR for small business – without compromising consumer data or tricking the customer.
GDPR for small business – clear opt-in actions
Any blog worth their salt these days will greet you with the inevitable pop up email sign up box. You’ll also see a strong call to action somewhere in the blog to sign up for a newsletter for a special deal.
Step 1: (Very) clear opt-in language
Looking at the GDPR for small business, you need to ensure that consent is a clear and affirmative opt-in action such as:
- Good: “Enter your email address to sign up for our newsletter”
- Simple, clear, and to the point.
- Better: “Enter your email address for your free ebook and to sign up for our newsletter”
- Tell the user what they get (like an e-book) – in return for signing up.
Step 2: What will you do with each user’s information
Okay, that’s just half of the process. The other part?
- You need to make very clear to the user what you intend to do with their email address or information.
Riddle’s quiz maker lets you included a required checkbox for your terms and conditions – so each lead can give clear consent to your use of their quiz and personal data for things like sending out targeted emails based on their quiz responses.
Key issues to avoid
Be clear (very clear!) with your opt-in language.
Some sketchy companies try to confuse the user – so users think a no is actually a yes, or vice versa.
An infamous example? “If you do not want to not receive messages from our partners, do not tick the box.” (A head-scratching triple negative!)
The GDPR puts an end to confusing practices like these.
You cannot bundle the opt-in with other services either, or use the data you have collected for anything other than a specifically identified purpose.
For example, imagine you visit a site about mindfulness to take a break from the fun and joys of dealing with the GDPR for small business.
- You decide to sign up for a daily email message to help with your mindfulness.
- The signup box says something along the lines of: “Sign up here to receive our daily mindfulness blessing.”
- Note – this does not give the site the freedom to send special offers because that is not mentioned in the email sign up text.
- The mindfulness web site would need an extra checkbox for users to opt-in for these offers.
You’ll often see this sort of thing when you are buying a product or service online. Most sites will want to add you to their promotional email list and maybe their third party list (“get messages from our trusted partners”).
Coming back to our hiking personality test example:
- If you buy a pair of boots, the site will probably want you to also sign up for their newsletter.
- This will have to be done on a separate check box.
- They can’t hide sneaky text like “by purchasing the item, you are signing up for our newsletter” in the small print on their website.
Pre-ticked or unticked checkboxes – not allowed
The rule of thumb? The user must make a clear, conscious action to sign up for something, not to avoid receiving something.
- The GDPR bans pre-ticked boxes for opt-ins.
- You can’t ask a user to uncheck a box if they don’t want to receive information from you.
FAQ – common questions @ GDPR for small business
Do I need to get opt-in to run A/B marketing tests?
Many savvy marketers know you can enhance the effectiveness of your email marketing campaign by tracking email opening rates – then sending different themed emails according to which messages the user previously opened.
However, to comply with the GDPR, you would need to tell your subscribers you are using these tactics and give them an option to opt-out or unsubscribe.
Do I need double opt-in to conform to the requirements of the GDPR for small businesses?
In our opinion, yes. Double opt-in is critical.
Riddle offers all the tools needed for double-opt-in, even when storing leads in a Google Sheet.
Is double opt-in recommended if I am not under the GDPR jurisdiction?
We’re big fans of DOI in all circumstances.
- After all, using a double opt-in system with clear, concise messaging will get you fewer, but higher-quality leads.
- Double opt-in also lets you know the email address is current and the user is actively interested in hearing from you.
- One final bonus? Your confirmation message can be used as a marketing opportunity to bring the users back to the your web site – “Your opt-in is confirmed – check out these special offers.”
What should I do when people choose to opt-out?
All your communications must contain clear instructions and a simple way of stopping further messages from you.
Cheeky practices like burying various unsubscribe options deep in the account settings and requiring them to sign in to access is illegal.
- Unsubscribing must be as easy as subscribing – this will usually involve checking a box or clicking a link.
- It’s worth emphasizing – if a customer asks to be removed from your system, you need to do exactly that within 30 days.
- You can’t ever keep their information in your system – even if you are no longer sending them your email newsletter.
Can I sell my GDPR compliant email list to other companies?
You can only sell or share your list to third parties if the customers have expressly agreed for their information to be used in this way.
But in general, we recommend staying away from this practice – you might ultimately be responsible for how the buyer is treating the data you collected.
Can I still send one-off sales emails to people?
Yes! The GDPR doesn’t ban you from emailing people.
Our hypothetical hiking company can email a customer after a sale to follow up with them. However, it has to be within a reasonable time frame and it has to be focused on what the customer bought. You’re asking for trouble if it looks like a generic automated email.
The hiking company can also contact random potential customers.
- For example, the hiking company might read an article on the health benefits of hiking that has an email contact address for the author.
- The hiking company can email the author to comment on the article and tell them a bit about their business.
- They can even ask if she wants to receive their newsletter.
- However, they cannot add her email address to their newsletter subscription just because they know she is interested in hiking!
What if they have given me their business card?
This is a common concern for company leaders, seeking to navigate the GDPR for small businesses. In this case, you can contact each person to follow up on your discussion and ask if they are interested in receiving your newsletter.
- Of course, you won’t be surprised to hear that you need a clear opt-in message on your email.
- Another no-no? You can’t go through business cards after a networking event and add everyone to your newsletter subscription.
You can set up a box for people to drop their business cards into if they want to receive your newsletter or special offer.
- The bottom line – the information about this activity has to be… come on, you can guess it… clear and concise.
- You can’t ask for people’s business cards to enter them into a competition and then add their details to your database without telling them.
However, you can also add their details if they have given clear verbal consent.
- At a business breakfast networking event, you can exchange business cards with the man opposite who has just dribbled egg on his tie.
- Then, ask him if he wants to be put on your business newsletter.
- If he says yes, you can add his name and email address to your system.
- It would, however, be smart to add a note in your database on when and where you met the person.
GDPR for small business – B2B and B2C communications
There is a subtle difference here that often overlaps.
- For B2B (business to business) communications, the emails should be directed at the person’s role in a business – not the specific person (for example, firstname.lastname@example.org).
- It becomes B2C (business to consumer) if you know the name of the person involved and send it to their personal address at the company (email@example.com).
- This is firmly covered by GDPR as you are contacting an individual.
There’s a funny joke going round that sums this up:
Will GDPR stop spam email?
You will still receive those oh-so-annoying emails (hopefully caught by your spam folder) from people who are desperate to make you rich with Bitcoin, and all those other scams. This is because spammers don’t follow the rules anyway.
The good news is that you should receive fewer emails from legitimate organizations. The GDPR for small business means they’ll need to get users to expressly agree to receive sales and other emails from them.
GDPR for small business – keeping and maintaining personal data
For each software vendor you use, you need to be sure that they comply with the GDPR – and that you use them in a legal way. After all, you’re responsible for due diligence with your suppliers. These companies should tell you what they do and don’t do.
As we discussed earlier about using quizzes for lead generation, Riddle’s quiz creator offers GDPR-compliant options for storing personal data.
There are also lots of services like MailChimp, ActiveCampaign, and so on to help you maintain your email database and comply with the GDPR and storing email addresses.
What is the difference between personal and sensitive personal data?
The GDPR places a clear distinction between these two types of protected information.
Personal data – anything that allows a living person to be directly or indirectly identified, including:
- IP address
- Note: it now includes data from a pseudonym if it can identify a person (e.g. Dave Smith’s username of “DaveSmith1971” would be personal data.)
Sensitive data – these categories are extra important, and need enhanced security:
- Sexual orientation
- Racial information
- Political beliefs
- Trade union membership
- Religious beliefs
GDPR compliance for small business – data location matters
Does the personal data of European people need to stay in the EU?
At this point of time (November 2020) the simple answer is yes.
With the cancellation of the Privacy Shield Agreement, there is no valid agreement between the EU and any other jurisdiction that would guarantee the safety of data stored outside the EU.
- Make sure data is stored in servers owned and operated by European providers.
- Storing on the EU cloud of a U.S. company used to be acceptable – but that is no longer the case.
Personal data leaving the EU has not been completely disallowed. However, it does create some sticky issues for the small business owner to worry about.
- For example, your data could be stored in an non-EU-based cloud service, or sent to a marketing service or employee outside of the EU.
- You also need to re-look at what information you track using services like Google Analytics – since even IP addresses is now classed because personal data (even if you are not using it directly).
This article on GDPR Compliance with Google Analytics give a good summary of steps to take.
If you want to continue to send data outside the EU, the user must be informed before they opt-in that their info may be transferred outside the EU.
They also have to be given the chance to reject the transfer.
And (uh-oh) you are ultimately responsible to ensure that the non-EU provider is treating all data in line with the GDPR (for example, not sharing the data with their government).
One other wrinkle? As the UK is in the process of leaving the EU, it is not yet clear whether their data policy will meet the EU policy after they leave. Theoretically, this will be announced when the UK actually leaves the EU in 2021.
Our recommendation – keep things simple, and use EU-based services and data storage. It’s one less headache to worry about.
Tell people what personal data you are storing – and delete it on request
This is another big change. If a consumer asks what data you have about them – you have 30 days to tell them. So not only do you have to send them this information but you have to be able to find it!
This is not a trivial task – so be sure to check that your tech infrastructure allows this.
The same applies if they ask you to delete their data.
GDPR for small business – your data needs to be secure
There have been lots of high-profile data breaches in recent years. You need to take steps to ensure the data you hold is as safe as possible from hacking or theft.
If your data has been breached, it must be reported to your country’s data protection regulator within 72 hours.
Does your company has more than 250 employees? You must have documentation giving:
- Descriptions of what information is held by the company
- Why it is being collected and processed
- How long the information is retained
- Security produres in place to protect the information
Cookies and the GDPR for small business
Cookies are another area you’ll need to be concerned about regarding GDPR for small business. And not the yummy, delicious ones.
These serve a number of valuable purposes – for both users and small businesses, but because they track specific information about users, the GDPR pays a lot of attention to them.
You will need to give your audience the ability to opt-in (and out) of any non-required cookies – such as marketing or analytical ones.
Check out this sample opt-out pop up:
> Required cookies
These cookies are necessary so that you can navigate through the pages and use essential functions, so there is no need to let users opt-out.
> Analytical cookies
These cookies help website owners to better understand user behavior. For example, you can use analytical cookies to determine the number of individual visitors to a website or to collect other statistics regarding the operation of your products. Savvy sites analyse user behaviour on the basis of anonymous and pseudonymous information on how visitors interact with the website.
These cookies and similar technologies are used to display personalized ads – and also measure the effectiveness of campaigns. The tricky bit – this tracking happens both on the site, but also on other advertising partners’ sites (third party providers). This is also known as re-targeting and it’s how you see your search behavior on, say, Amazon follows you around the web.
> Third party services (external media)
Often third-party providers are integrated into services that provide their services independently. When you visit a site with third party services, data is collected using cookies or similar technologies and transmitted to third parties.
The short answer is no. (Hurrah!)
We designed Riddle to be a completely GDPR-compliant quiz maker. So when you embed your riddle quiz in your site, we never ever place cookies or other trackers that might get you into trouble.
The only cookie we do add is called a ‘session cookie’ – it’s just a random number that ensures users can take a quiz, have their answers stored and results displayed. It contains no personal identifiable information and can never be traced back to a specific user.
(We’re used by folks like the BBC – who are passionate about protecting privacy. They regularly audit our site and are very comfortable with our privacy controls and cookie policies.)
More information on GDPR email compliance for small business
Whew – congratulations on getting to the end of this massive blog post. We hope you found it useful in navigating the GDPR for small business!
If we can ever answer any questions, please just ask us on our support chat or email (firstname.lastname@example.org/blog). Our founders will race our entire team to be first to respond – so we’re super quick to reply.
And signing off – here are some good links for additional information: