Many are talking about it – and no-one seems to know exactly what it is all about: the EU General Data Protection Regulation (GDPR) is causing uncertainty inside and outside the European Union. Read on and learn how the GDPR affect you as a small business, start-up or self-employed person – and what you need to do about it.
The good news first: in terms of its content, the new law is not that new. What is new are, above all, the sanctions for not taking it seriously. The bad news? **If you’re like the majority of small businesses, you probably need to take action. Now. **But let’s start from the beginning.
Data privacy taken seriously
“The protection of natural persons in relation to the processing of personal data is a fundamental right.”
Thus begins the REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), which entered into force in 2016 and (after two corrections) has been applicable since 25 May 2018. A good thing from the consumer’s point of view – because we all regain control of our data. For entrepreneurs, however, personal data provides access to valuable marketing insights and effective personalized promotions; they might even be part of your company’s success. Do you have to do without it altogether? The answer is very clear: Yes and No.
Personal data and their use in accordance with the GDPR
GDPR is a good thing from the consumer’s point of view: we all regain control of our data. (Photo by gpointstudio | stock.adobe.com)
Of course, it is not prohibited to collect personal data in the future - but only if your EU customers (and in this case this includes every single visitor to your website) are fully informed about what you are doing with this data. What is stored, where and for how long? If you use this information for marketing purposes, you must obtain active consent from your users. And if you want to send out a marketing newsletter, the addressees must have verifiably consented to this use. How to do that? Read on.
How to become GDPR compliant
Basically, the GDPR affects all companies outside the EU, such as Switzerland, offering services or goods to private individuals in the EU – and thus a very large part of the digital economy. From individual businesses to large corporations, commercial or non-profit, whether a visitor to your website buys something or not: as soon as someone visits your website from the European Union, the GDPR takes effect.
Step 1: Data Privacy Check
As soon as someone visits your website from the European Union, the GDPR takes effect. (Photo by Redpixel | stock.adobe.com)
“First, I recommend conducting a data privacy check: Which data processing takes place in the company, how and by whom data is stored”, advises Paul-Lukas Good, expert for data protection at Good & Partner Rechtsanwälte in Switzerland. Do you store address data locally on your computer in an Excel file, do you use a Rolodex for your customer addresses or do you work from the cloud? Go through your company’s processes step by step and note which data is collected and where it is stored.
Step 2. Inform your “data subject”
“Then it is important to disclose the data processing – in the privacy policy on a website or in an app, or by adding relevant clauses to contracts on paper”, Paul-Lukas Good continues. According to Article 13 of the GDPR, it is your duty to provide information “where personal data are collected from the data subject”. Among other things, you need to state the following points:
- The identity and the contact details of the controller and, where applicable, of the controller’s representative
- Purposes and legal basis of the processing of personal data
- Where appropriate, the recipients or categories of recipients of personal data
- The period for which you will store the personal data; if this is not possible, the criteria for determining this period
In addition, you must inform the data subjects of their rights and guarantee information, correction, deletion and restriction of the processing of personal data at all times. Not an easy task – especially if you work with third-party plug-ins.
Step 3. Check your cookies, plugins & tools
“Even with Facebook’s Like button, you have to ask yourself whether data processing will still be permitted,” warns Good, “because this is in fact a direct line from your website to Facebook.” According to said Article 13, you would have to explain exactly what Facebook does with the data of its linking users – and as long as you do not receive this information from Facebook, you cannot fully comply with the new regulations. Tools such as Google Analytics offer the possibility of adjusting and anonymizing data usage as required - “although it remains questionable how anonymized these data actually are,” says Good.
As long as you do not receive enough information from third party providers, you cannot fully comply with the regulations. (Photo by Matthew Henry | Unsplash)
In most cases, data traces are recorded in the form of cookies – and then a cookie consent banner is required. A tool like Cookie Bot shows how its ideally done: A detailed explanation that allows the user to deselect data collection for preferences and statistics – and to actively select usage for marketing purposes. Because when it comes to marketing, only the opt-in principle applies. Whether someone will tick this last checkbox, and what this means for the future of personalized marketing, remains to be seen.
Step 4: Create a Double-Opt-In Newsletter
The collection of data is one thing; their use for marketing purposes another. Whether you may use an e-mail address from your database for sending a marketing newsletter depends on whether you have verifiably obtained the user’s consent. In most cases, “Double-Opt-In” means that a user confirms his e-mail address via a registration link that he receives after registering for the newsletter. This applies not only to new registrations, but to your entire existing mailing list – and, unfortunately, there’s no getting around it.
GDPR outside the EU
With digital businesses working all over the globe, the GDPR will have worldwide consequences. As a zistemo user, for example, you store your customers’ billing information on your zistemo account in our cloud – which in fact is located on secure servers in Switzerland. The best way to find out what this means for you is to visit our very own privacy center. “The exciting thing about GDPR is the interface between law and technology: it is not enough to create legally perfect general terms and conditions – technical implementation must be guaranteed,” concludes Good.
We at zistemo believe in protecting our users’ data, and have done so from the beginning. That’s why you’ll always be in control of your data – and benefit from the advantages of a comprehensive cloud application.
Wait, what? You’re not a zistemo user yet? Try us out! Free of charge and without any obligations. And yes: we are fully GDPR-compliant.
zistemo
