GDPR Update: Why Small Businesses Need to Comply

Since Europe’s GDPR mandate went into effect last May, businesses across the globe have been working to update their policies and inform their users of new privacy practices. However, according to the IAPP-EY Annual Privacy Governance Report, 56% of companies are still not compliant – and 19% say they will never be. For small businesses in particular, becoming GDPR compliant seems necessary to some and optional to others. I talked with Sydni Craig-Hart, CEO and Cofounder of Smart Simple Marketing, about how GDPR affected her digital marketing company, which both sells to small businesses and supplies to large companies. Though becoming compliant wasn’t a huge strain for her business, Craig-Hart still had a lot of great advice for other small business owners about the process for becoming compliant, and she explained why complying with the GDPR shouldn’t be viewed as optional for small businesses. 

What is GDPR?

The General Data Protection Regulation (GDPR) gives European citizens more control over their personal data and affords them more protections. It sets strict standards on how personal data can be collected, what can be done with it, and how businesses or other entities must protect it. For companies doing business in the European Union or marketing to EU consumers, the regulation meant updating lists, policies, forms, and more to become compliant and avoid fines.

GDPR is a factor in winning contracts with big companies

Smart Simple Marketing helps companies drive engagement and increase loyalty with women-owned, minority-owned, and small businesses. The company has worked with Google, Facebook, LinkedIn, and many other corporations, so Craig-Hart knows what it takes to contract with companies like these and what they often need from a small or mid-sized business when evaluating contracts. The GDPR has become a staple in the contracting process for such companies: When Craig-Hart’s firm was starting a new contract with LinkedIn, the process was held up by a missing GDPR document.

“They specifically called it out to make sure that if we did shift our plan and start collecting [EU data], we would be compliant,” Craig-Hart said. “I suspect we’ll be doing more work like this in the future, and we already have our own privacy policy and systems for how we handle and process data – I’m confident it will make it easier to address concerns with our larger technology clients.”

For businesses looking to get contracts with large companies, even if there are no plans to collect EU data, GDPR is most likely going to come up. Even for small businesses that may not be looking for contracts, it’s still valuable and wise to become compliant now, before a regulation like GDPR is passed in the United States. 

“Remember that while the mandate is from Europe, we’re going through the same issues in the US,” Craig-Hart said. “People are more concerned about how their data is being used, so it’s good to have these things in place anyway. I think it’s just good practice to have in today’s climate. You want to be viewed as reputable and respectable.”

Why small businesses should comply with GDPR

Preparedness is often crucial for small businesses. Whether it be preparing for funding, contracts, or slow seasons, not being prepared can set a small business back or in some cases shut it down. When it comes to things like the GDPR, it’s always better to be safe than sorry. No small business has the money to waste on fines for non-compliance, and setting yourself up for success now will prove worthwhile in the future, especially if a similar regulation comes to the US. 

“Think about where you want to be five or ten years from now,” Craig-Hart said. “Technology will keep shifting, and you’ll have to keep up with it. This won’t be the last big shift in how data is handled.”

What Smart Simple Marketing did to become compliant with the GDPR wasn’t a huge undertaking, mostly because, as her firm is a digital marketing company, Craig-Hart is used to change. However, the company did make sure to update its privacy policy and did a systematic review of its landing pages and opt-in forms to make sure they were compliant. In total, Craig-Hart estimates it took about 10 hours of work to become compliant, and the work is already paying off with their LinkedIn contract. 

GDPR Compliance Checklist for Small Businesses

Becoming compliant will look different for every business, but Craig-Hart recommends every small business do at least the bare minimum:

  1. Do your own research. Read the mandate and understand what the policy is and what the impact is.
  2. Talk to your attorney or use a small business legal resource for advice. Explain what your business is, your model, how you serve your customers, how you collect information and how you use it. Ask how you can protect your customers and your business.
  3. Make sure you’re following email best practices. You shouldn’t be sending mass emails from Outlook or Gmail. Using an email marketing tool will help you keep track of who has opted in to your marketing and when. These tools aren’t expensive, and they keep you organized – and that's a protection for you.
  4. Make sure your privacy policy is up to date, and if you’re selling online or collecting emails, make sure opt-ins and sales pages are compliant.
  5. Be careful when buying email lists. Ideally, you should be building your own community of people who want to hear from you, who give you their contact information, and who want to stay in touch. If you do buy a list, make sure you’re buying from a reputable source that follows good data practices. You may also want to establish double opt-ins for added security.

“Small businesses tend not think of themselves as a real company,” Craig-Hart said. “They think, ‘I’m small, I don’t have to worry about that,’ but they actually do. It’s a bigger issue than just a privacy policy; it’s ‘Am I running like a company?’ This is a responsibility you have as a business,” she said. 

Have questions? Learn more about the GDPR.