What Does GDPR Mean for Your Small Business Marketing • sandstonecastles blog

The new General Data Protection Regulation (GDPR) has been in force in the UK since May 2018. It’s the biggest change to data privacy regulations in 20 years. And it can have a big impact on your small business – particularly on your marketing.

The changes the law introduced are quite complex. So here’s an overview of what the new regulations say and what you need to do in order to comply.

What is GDPR?

GDPR is a law which aims to protect the personal data of EU citizens. It ensures that businesses are using this data in a fair, safe and secure way. As a small business, this means that the way you collect, store, use and share personal data has changed.

GDPR applies to any business worldwide dealing with personal data of EU and UK citizens. That includes sole traders and small businesses like us, all the way up to huge corporations.

The law affects both online and offline data. And it applies to internal communications as well as customer-facing data collection.

There can be fines of up to €20 million (or 4% of the company’s global turnover) for non-compliance. So make sure your privacy & cookie policy is always up-to-date!

The six principles of GDPR

GDPR has six main principles at its heart. These define what personal data is and what responsibility small businesses have for their customers’ data. It also outlines how you can ensure compliance with the new legislation. Let’s have a look:

Lawfulness, Fairness and Transparency – You need to make customers aware of what their data will be used for. Ensure it is used only in the way you have described, and that it meets the requirements of the GDPR law.
Purpose Limitations – Personal data can only be obtained for specific and legitimate purposes. It cannot be used further without additional consent.
Data Minimisation – Only the minimum amount of data required for the specific purpose should be kept.
Accuracy – Data should be kept up to date, and any inaccurate data should be updated or deleted.
Storage Limitations – Data should only be kept for as long as it is needed, and anything no longer required should be deleted.
Integrity and Confidentiality – Personal data should be processed in a secure way that ensures it won’t be lost, destroyed, damaged or unlawfully used.

What does GDPR mean for your marketing?

Marketing is all about connecting with people and using their data to give them the information they want. So GDPR makes it really important to review your marketing and ensure it’s GDPR compliant.

Here are the four main areas where GDPR has an impact on your small business marketing:

1. Privacy policy

There’s no need to panic – collecting data is still absolutely fine. You just need to make sure you’re doing it properly and letting people know how and why you’re using their personal data.

Start by updating the privacy and cookie policy on your website. And then have a think about all the other ways you collect personal data in your small business.

Make sure you know where you collect what kind of data and what for and keep it safe. Take a note of what third-party systems you use to store personal data of your customers and employees.

Additionally, you need to define how long you’re going to keep the data after, for example, the last transaction with a customer. Put a routine in place to regularly clean up data in your small business and make sure it’s always up to date.

2. Double opt-in

Consent is a vital part of the GDPR guidelines. And it means that opt-out consent is no longer an option. When collecting customer data (e.g for your mailing list), people must opt-in and confirm that they give consent for you to store their data. This is known as double opt-in.

You must also be able to prove you have this consent and give customers the option to withdraw their consent at any time. Also, consent must be freely given. That means an exclusive content download cannot be dependent on someone consenting for you to have their email address anymore.

Chances are, you already have an email list full of customers. So ask yourself: Has everyone on the list consented using double opt-in? If you started collecting data a few years ago, probably not.

This means you’ll need to regain consent for all the people already on your list. Send out an email asking them to confirm their subscription. And make sure to let them know exactly what their data will be used for and to link to your privacy policy.

3. Access

You also need to make sure customers can easily access their data and remove consent if they wish. For example, this can be as simple as including an unsubscribe link at the bottom of emails.

Or you can add a section on your website which allows people to manage their email and cookie preferences.

You also need to be able to show any of your customers on request what data you have of them and what you use it for. So don’t forget to add your small business’s contact details to your privacy policy.

Customers have the option to request deletion of all their data from any company and you have to be able to comply within a short period of time. So make sure you always know what data you hold where at any given time.

4. Relevance

Don’t forget to have a think about what kind of data you really need to be collecting. In order to keep things simple for yourself, it’s good to collect the bare minimum of data you need. Sometimes a name and email address are all that’s required.

You have to be able to prove you need this data. So make sure it’s actually relevant to your small business. For example, if you’re an online shoe store knowing someone’s shoe size is relevant. If you’re a freelance web designer, not so much!

There are no fast rules in the new regulations which data you can keep and for how long. You simply need to be able to explain why you are storing the data in question. And you’ll better have a good reason for it.

GDPR resources

If you think it all sounds a bit complicated, I don’t blame you! There’s a lot to take in but as long as you’re prepared, the new GDPR rules should fit nicely into your small business marketing strategy.

Here are some great resources to help you understand GDPR even better:

Business Gateway’s Digital Boost GDPR for Business Guide – lots of information about what GDPR is and how it will affect businesses, plus a handy checklist to make sure you’re compliant
Claire Brotherton’s GDPR Guide on wpmudev – all you need to know about making your website GDPR compliant, including contact forms and third-party plugins
Purple’s GDPR Toolkit – free download with lots of information about GDPR, particularly relating to how it affects marketing
ICO’s Guide to GDPR – comprehensive guide from the UK’s data protection authority, including information about the steps you need to take now, and a checklist to make sure your business is compliant

Also, have a look for events and workshops in your local area which can help you understand GDPR further.

Cookie	Duration	Description
_GRECAPTCHA	5 months 27 days	This cookie is set by the Google recaptcha service to identify bots to protect the website against malicious spam attacks.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_ga_9DHW0L0MEL	2 years	This cookie is installed by Google Analytics.
_gat_gtag_UA_25188708_1	1 minute	Set by Google to distinguish users.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.