The General Data Protection Regulation (GDPR), comes into effect on 25 May 2018 and represents an unprecedented shakeup in data protection laws across Europe and the UK. It has major ramifications for how businesses collect and store data, regardless of the outcome of Brexit.

The outcry over the revelation that Cambridge Analytica was exploiting the private data of Facebook users demonstrates that the world has become alert to the ways in which personal data can be used and abused. It marks a watershed after which data protection will no longer be taken likely or be seen as a mere tick-box exercise.

What is the GDPR?

Although the GDPR contains an incredibly technical range of stipulations regarding how organisations and companies should approach data protection, it also has a fairly straightforward philosophy underpinning it. This philosophy can be summed up in two words: informed consent.

Data subjects can no longer be tricked into consent agreements smuggled into Ts & Cs, nor can consent be a condition for signing up to any service; they have to sign an explicit privacy notice that must be clearly and plainly stated.

Data subjects also need to fully understand the ways in which their data will be stored and processed, in accordance with this simple edict: if they don’t understand what you intend to do with their data, you aren’t allowed to do it. It’s as simple as that.

Will Brexit effect the GDPR?

In a word, no. Although the GDPR is an EU legislation, two crucial factors need to be taken into account:

1. The GDPR’s stipulations apply to any company handling the data of EU citizens, regardless of whereabouts in the world they are.

2. The main plank of GDPR has already been incorporated to the UK’s Data Protection Bill, which is soon to come into law.

How will the GDPR affect small businesses?

There’s some confusion as to exactly how the GDPR will affect small businesses.

There are lots of detailed requirements for organisations with over 250 staff (like appointing a data protection officer and publishing the details of 3rd party data processors), but that doesn’t mean small businesses are off the hook.

If you only occasionally process personal data, you aren’t bound by the GDPR unless the data you handle is considered “sensitive personal data”, such as data about political views and religious beliefs, membership of trade unions, sexual orientation, race, and ethnic origin, as well as any biometric or genetic data.

So, if you regularly process personal data or collect any sensitive data you should comply with the GDPR.

As a small business, you don’t have to appoint a data protection officer or publish details of any data processors you work with, but you do still need to ensure that you gain informed consent from all data subjects and that they are aware of how you will use their data.

This consent also needs to be verified; so you must keep written records of when, where and how you gained consent. If you, for example, use a data capture service like MailChimp, it will automatically generate reports that detail how people opted-in to your database. It’s important that you speak to the relevant teams handling data in any capacity, either within or on behalf of your company. Make sure they are informed about the GDPR and are complying as per their obligations. If not, heavy fines could result.

What does the GDPR mean for marketers?

Marketers will, of course, want to make sure they are GDPR compliant, as collecting and handling personal data is their lifeblood. From now on you will need to factor GDPR guidelines into your marketing strategies from the ground up. This is called “privacy by design”.

Opt-in consent

Speaking of opting in, all consent must be gained by positive, opt-in methods; so you’re not allowed to use pre-ticked opt-in buttons on a signup form, for example.

You need to inform data subjects:

How you will be using their data and who you’ll be sharing it with

How long you will store their data for

They can request their data be deleted or amended at any time

They can request their data be sent to them in a transferable format (“data portability“)

GDPR privacy notices

For small businesses, the lynchpin of your data protection strategy will be your privacy notice. We’re all familiar with long-winded terms and conditions, and the fact that no one ever reads them. Facebook famously published a privacy policy longer than the US constitution. Well, this is one of the major changes the GDPR aims to bring about. Privacy notices must be as concise, clear, and readable as possible so as to ensure data subjects are aware of exactly what their data is being used for and what their rights are.

The Information Commissioner’s Office (ICO) has a very handy PDF guide offering good and bad examples of privacy notices that is definitely worth taking a look at.

The ICO has a lot more information on how to get your business ready for the GDPR when it kicks in on 25 May, including a GDPR FAQ document and self-help checklist, as well as a helpline number for small businesses.