GDPR For Small Businesses With Websites & Email Lists

April 18, 2018


So the EU are passing a new General Data Protection Regulation law (yes, we’re still in the EU) and now we’ve got to add some work to our never-ending load. And to add salt to the wound, we have to do it before the 25th of May.

Even trying to work this out myself has been quite a challenge. I sat down with articles, webinars and podcasts whilst making a bible-full of notes. Here’s what sense I’ve made from it all.

The first thing that struck me is that anyone with a website definitely has to make some changes. If you own a website, then you automatically collect every visitor’s data through analytics. Website owners need to write up an entirely new GPRS compliant privacy policy and feature it on the website. The policy will need to state a number of things including:

  • How you process people’s personal data (where you store it, collect it etc.)
  • Why you process it
  • The Legal terms
  • Who you share this data with (this could be apps that you use)
  • The period you keep the information for
  • Existence of Rights
  • The right to opt out
  • Right to complain
  • And how you keep the data secure

For those with an email list, including in the privacy policy details of how you handle data for that. Then, rather than writing two policies, you can send the same one to your email list.

The annoying part is, you will have to email your entire list for fresh consent too. If they don’t give you consent for product updates or marketing emails (and you don’t have that consent on record) then you won’t be complying with the new laws. I’m sorry to break it to you, but you’re going to have to say goodbye to a lot of your list. Although unavoidable, you can limit the damage by creating a number of engaging emails before asking for consent. This way, it encourages your subscribers to stay with you by reminding them how enjoyable your emails are.

New subscribers will now have to opt in when they sign up. If you’re with MailChimp, they have a great new GPRS feature and have written a post on how to set the opt-in system up.

If there has been a breach of the data and someone has accessed your list and data without your consent, you must notify the ICO within 72 hours. This could even include someone stealing your Rolodex.

I think the best practice here is to be completely upfront with the people you take personal data from. Always explain why you’re taking their email, name or IP address and always create great content and emails that are worth giving away their information for.

I’m not a complete expert but I’ve checked how it works for my business. If you have any questions just tweet me @Mandy_morello and I’d be happy to chat. For further reading have a look through the GDPR official website.