A data privacy revolution? Maybe.

In this article, we’ll look at:

  • The 2018 data privacy revolution: GDPR
  • Why all businesses need to have a plan
  • Some further resources for the details

Why does this affect me?

It’s easy to be a bit hypocritical about data privacy.

As individuals, we all object to the idea of our identity being stolen, our credit cards being cloned, or our information being abused for the purpose of spam texts, emails and phone calls.

But the same individuals – those of us who run a business that handles other people’s data – have a responsibility in this ‘bigger picture’, and it’s all too easy for that to get overlooked.

What’s that got to do with my website?

Well, everything and nothing, really.

I’m only using websites as an example, because that’s the business I’m in – but the principles extend to all areas of your business. Let me expand my example:

If you’re not very careful indeed, a small business website is a prime example of where the data privacy issues can arise.

Chances are that:

  • Your site uses an online contact form to enable customers to contact you;
  • You’re probably running Google Analytics to track visitors;
  • You might be promoting your business using social media, such as Facebook marketing;
  • You might be using shared web hosting from a 3rd party company such as Fasthosts, 1&1 or Godaddy;
  • You might be using a CMS like WordPress to power the site.

And there’s nothing the matter with any of that – except that all of the factors above come with data privacy issues that must be addressed. Perhaps more often than not, these things are not even on the radar.

And that’s a problem – because May 2018 sees the introduction of the EU’s General Data Protection Regulation, and it’s a bit of a gamechanger.

Data privacy ain’t sexy

People who start up their own businesses are entrepreneurs – they’re passionate about what they do, or at the very least they’re passionate about the lifestyle and work/life balance that self-employment or business ownership can bring.

But that alone is not enough.

When you start out small, you will often find yourself having to be the marketing person, the legal department, the tech guy, the HR rep – and often enough, what you’re really focused on it the product, or the service – and making sure your mortgage gets paid.

To my mind, this often means the planning of the less ‘sexy’ parts of running a business get overlooked. And believe me, data privacy ain’t sexy.

What this means for a lot of new startups and small businesses is a focus on ‘doing’ rather than ‘planning’.

Mañana, mañana. I’ll deal with it tomorrow.

It’s understandable, but it has its problems.

In particular, we end up with work processes that evolve as a result of what is convenient or cheap, as opposed to ones that are thought through in advance.

The end result? Information scattered across different spreadsheets or scribbled down on post-its. Data that you can’t find because it was on that old laptop that you’ve just upgraded. A USB stick that ‘was definitely on my desk last night’.

They’re just small examples, but they all red flags. They’re trying to tell you something – and that something is that you don’t have control over your data processes.

That is about to become a bigger issue.

If you run a business – however small – or you operate a website of any kind, and you only take one thing from this article, please let it be this:

2018 is a turning point in relation to data privacy in the EU (and that includes the UK, regardless of Brexit). You will have obligations. They may be simple, they may be more complex, depending on your business.

But in any event, you need to have a plan …

… even if that plan is simply to gain a broad understanding of your obligations and make a conscious decision about how you’re going to address them. Ignoring it will not make it go away.

Ok, so what’s changing?

We have, for many years, had laws and regulations in the UK concerning data privacy. They trickle down from EU rules, and in general terms, we think they fall into the category of ‘quite a good thing really’.

But the issue of data privacy has become, understandably, a real hot topic in recent years – mainly because of the sheer volume of high profile data breaches (where systems are hacked and thousands of customers have their personal data stolen and abused) and the associated rise in cyber crime.

As a result, new data privacy laws come into force across the European Union in 2018 that have a much more direct, and potentially onerous, effect on businesses in the UK. And don’t think that Brexit will save us – the rules will apply whether we’re in the EU or not.

In particular, I’m referring to the EU General Data Protection Regulations (GDPR) and ePrivacy Regulation. The GDPR is, technically, already in force – but will only become enforced in May 2018. The ePrivacy Regulation was due to come into force at the same time, but that is looking unlikely.

What does the GDPR mean for small businesses?

Ok, this is really top-level (and we’ll be going into more detail in later articles), but they key things to take away from this are:

  • Even for small businesses, this is worth taking seriously – mainly because the penalties for non-compliance are literally eye-watering. There is an awful lot of misunderstanding and misinformation doing the rounds at the moment – and while there are some very limited exceptions to businesses employing fewer than 250 staff, there is no general exemption for small businesses;
  • Becoming compliant isn’t necessarily difficult – but if you don’t understand your obligations, you don’t have a chance;
  • The GDPR applies to anybody who collects or processes personal data in any vaguely commercial or business context – and it applies to offline data (e.g. paper records) as well as online data;
  • The definitions of ‘personal data’ are so broad that it is safest to assume that you will be collecting/processing relevant data until you can confidently establish otherwise – if you’ve got a contact form on your website, you’re processing personal data;
  • It applies to any business that collects data relating to EU citizens – regardless of whether the business is based in the EU. So unless you know for a fact that nobody outside the UK will ever visit your business website, that’s why this affects the UK pre- and post-Brexit;
  • At the very least, your business will need a clear Privacy Policy that describes what personal data you collect and how you use it. And no, it is not good enough to copy someone else’s or get one of those automatically generated ones off the internet;
  • Customers whose data you hold now have much broader rights in relation to that data, so you need to have a plan for how you will deal with any requests for access to it. As was the case when Freedom of Information requests were introduced, it’s inevitable that some people will want to exercise their rights simply because they can.

Theory vs reality

One of the key issues with the existing data privacy laws, in my opinion, is that people have become very blasé about the whole thing.

Some business websites have privacy policies, many websites have those irritating ‘Cookies’ popups – but at the same time, most do not. Big businesses (with big budgets and big legal departments) tend to be pretty good at it, but we’ve probably got used to expecting less of smaller businesses.

And I, for one, don’t know of any small business that has been fined, or otherwise inconvenienced, by failing to meet the existing rules.

So why bother?

  1. It’s distinctly possible that the authorities will take a far tougher stance on this when the regulations are ‘harmonised’ across the EU. The maximum fines for non-compliance are €20million. Yep, you read it right.
    1. These changes to the law are likely to gain some significant attention in the media. So as soon as BBC Breakfast News starts telling viewers about their new rights, expect people to start exercising them;
  2. More than all of that, it’s the right thing to do. This forces us to think about how we are managing customer data, and falling into line with the regulations will generally encourage us to run better businesses.

That said, the GDPR regulations themselves are – like most EU documents – extremely dry, extremely long, and completely impenetrable in places. Some of the individual rules leave me thinking they cannot possibly mean that I have to do ‘x’, or surely that doesn’t apply to ‘y’.

And right now, we don’t have all the answers. So (in my opinion, this absolutely is NOT legal advice) the best we can do is start making plans to comply with the letter of the law where it is clear, and the spirit of the law where it is not.

Am I the only business that’s not prepared?

Absolutely not.

Because of the potential impact on my own business, and the businesses of my clients, I’ve been spending a lot of time researching the impact of GDPR. If I’m honest, it’s been keeping me awake some nights.

Why? Because despite the fact that we are a very short time away from the full application of the GDPR, it still feels that not enough people are talking about it. It doesn’t seem like there is a great deal of useful, practical guidance out there, and many of the regulations themselves seem ambiguous.

There is absolutely still time to get your business’s ducks in a row. And I believe that if you do that before May 2018, you will be far better prepared than the majority of small businesses out there.

We’ve created a series of articles that are intended to provide practical, actionable information for how to comply with the GDPR as a small business.

The guides provide some specific focus on small business websites and what changes might be required as a result of the GDPR, but the principles all apply more broadly than that.

For more information, see our next articles: ‘GDPR 101’ & ‘A Small Business GDPR Action Plan’