Does GDPR Affect Small Businesses?

Cressida Johns Uncategorised


WHAT  a minefield!!!  As of tomorrow (25th May 2018) GDPR is fully in effect and companies big and small seem to be scrabbling around at the last minute to get ready for it!  But what is GDPR?  Does it REALLY matter to small business owners?

In answer to the first question – GDPR stands for General Data Protection Regulation.  It’s the changes in the law that come into effect on 25/05/18 that mean that ALL companies, no matter their size, have to be much more responsible for how they collect, store and use the personal information of their clients or potential clients.  Effectively, this is being done to make SPAM a thing of the last.  Will it work? That remains to be seen.

“But I only run a hobby business, surely I don’t need to bother” I hear you say.  Unfortunately this new law applies to anyone and everyone who collects and holds data about others – and the fines for non-compliance are hefty.

What do the new laws mean for my small business?

Quite a bit unfortunately.  In a nut shell it means that for going forwards, whenever you collect someone’s name, date of birth, phone number, email address, postal address or anything thing else you need to store it in a safe and secure place such as a spreadsheet or database that is backed up.  You also need to ensure that while you are collecting this information (either verbally or by a form) that you make the individual aware of what you are going to use the information for and get their explicit consent to use their information for that purpose.

For example…you run a dog grooming company.  When you have a new customer come to you, you have them fill out a form with their name, address, email address and telephone number as well as details about their pets.  The customer understands that they are giving you this information in case you should need to contact them for any reason such as to cancel an appointment.  You may have then used this information to email them a newsletter or promotion.  With the new law, you need to ensure your customer knows what you will use their information for AND gives their consent.  You are then ONLY allowed to use their information in the way they have consented.  So on your data collection form you need to expressly state that their contact details will be used to reach them to manage their appointments, and in case of an emergency whilst you are grooming their pet – but also that you may contact them by email, post or phone with news of the grooming parlour and occasional promotions.  There needs to be somewhere on the form that confirms that they give their consent.  This might be something for them to sign and/or boxes to tick.

You have to give them options on all the different ways that they may be contacted.  So if you might contact them to send them marketing information by phone, email and post – there needs to be the option to choose some or all, or none of these.  Assumptive consent is absolutely a thing of the past.  It has to be explicit.  If in the future you decide you want to use this individuals details in another way that hasn’t previously been consented – such as to refer them to a different groomer – or if you were selling your business – then you would need to gain additional consent.

How will I market my business or get new customers then?

First of all….please don’t panic about all this!  It’s actually not as scary as it sounds.  The new GDPR laws DO make allowances that still enable you to contact individuals and businesses that you haven’t spoken to before…BUT….the contact must be seen as relevant and reasonable.  In fact, it’s worth baring in mind that GDPR mainly relates to the personal information of individuals NOT businesses.   Some examples for you:

Example 1

You supply window cleaning services and you want to approach local businesses.  You’ve done your research and have put together a list of businesses with their addresses on your local high street.  You want to send them a letter and/or leaflet or email about your services.  As long as you follow these rules given below then this is entirely acceptable.  If you have a list of customers made up of private citizens with their contact details and wanted to email them to let them know that you are going on holiday and their clean will be delayed – that is absolutely fine – you do not need consent for that.  If you wanted to offer all those customers a promotion for your new conservatory cleaning services – this is still ok as long as you follow those rules.

Example 2

You own a garage that sells cars.  A customer has previously purchased a car from you and it will soon need an MOT, service or the like.  It would be entirely relevant to contact that individual to remind them that their car will soon need it’s MOT and to remind them of the services that you offer and you would not need their consent to do that.  But to contact them with other promotions or details of available cars WOULD require their consent.

GDPR Rules for Cold Marketing to private individuals or businesses

Cold marketing is a way of generating interest and alerting people about a product or service. Once the GDPR comes into force on May 25, 2018, cold marketing will still be permitted; but there are rules which need to be followed.

  • Think carefully about who you are sending the emails/letters to, as well as the relevance of the content. They must only be sent to people who could reasonably be assumed to find the content useful.
  • The topic of the email/letter must be clearly identified.
  • The email/letter should be personalised to conform to the recipient’s interests.
  • There must be an option provided to unsubscribe from future communications.
  • A genuine physical address of the sender must be included in the communication.
  • The sender must be able to be clearly identified.
  • An explanatory note explaining, how, why, and what data was collected may be included in the interests of transparency.
  • You don’t ‘spam’ them with irrelevant marketing communications in the future.

Clear as mud?  Don’t beat yourself up if you still are floundering on this issue.  It’s extremely confusing and has taken me a fair amount of time and reading to fully understand it.  If you need any help at all on this, feel free to send me an email or give me a call (I promise not to use your details to send you marketing material without your consent 😉 ).

gdpr for small business, new data protection for small business, how will gdpr affect my business?, gdpr help, gdpr advice, data protection help, data protection advice, do small businesses need to worry about gdpr, do small businesses need to worry about new data protection, data protection laws, gdpr for my small business, data protection for my small business, gdpr small business owner, data protection small business owner