Is Your Small Business GDPR Ready?

Is your business GDPR ready?・Kerstin Martin Squarespace Studio

Hmm... GDPR? What is that?

The General Data Protection Regulation (GDPR) is a new law that regulates how businesses are collecting, using and processing data from EU citizens. Even if your business is located outside of the EU you are affected if you have EU customers who give you personal data, such as a name and email address.

GDPR comes into affect on May 25, 2018.

Many small businesses owners are quite confused as to what they need to do. Much of the GDPR language is aimed at large corporations but don't be fooled - even if you are a single person business you need to comply. 

Some of the GDPR highlights:

  • Explicit Consent
    You will need to get explicit consent from your customer to collect and use their data. This could be updated language at data collection point and/or double opt-in.

  • Use and Transfer of Data
    You need to make it very clear to your EU customers how you are going to use their data. For instance, if you are transferring their data to a 3rd party (e.g. Mailchimp) you need to get their permission for this.

  • Data Processing Agreement (DPA)
    It is highly recommended to sign a Data Processing Agreement (DPA) with any 3rd party data processors you are working with. In my case this would be Squarespace, Stripe, PayPal, Mailchimp and 17hats. I already did this for Mailchimp and have requested DPA's from the others by writing to their customer support.

  • Privacy Policy
    Update your Privacy Policy to include specific info on how you are collecting, using and processing your clients' data and how you comply with the GDPR.

  • Data Access
    You must make information about their data easily available to your customers if they ask for it. And delete it if they request that.

  • Non-Compliance
    Non-compliance can result in very high fees, like up to EUR 20 million! This is clearly aimed at large businesses but even as a small business you can get fined. Now how this would be enforced for non-EU businesses I don't know. And I don't worry about this too much, either. The main point of the GDPR is to protect private citizen data and there are already a lot of measures in place for this (like the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks), the GDPR just takes it up a notch.

  • Anyone can Report you for perceived Non-Compliance
    Regardless of whether someone is the victim of your alleged non-compliance or just a by-stander (for instance a competitor!), apparently anyone can report you if they think that you are not compliant.

What about Squarespace?

They are working on it as we speak! A few points I am aware of:

  1. Consent at Check-Out
    If you sell products through Squarespace there is an option at check-out where your customer can subscribe to your newsletter. You can currently turn this option on so that it's already checked by default, and the customer can just uncheck it again when they check out a product. This will no longer be considered compliant under GDPR. Until I know what Squarespace is doing about this, I will turn this option off.

  2. Consent at Data Collection Point
    As for newsletter forms and general forms there is room for respective verbiage and I will update these as soon as I figure out what exactly to say. Hopefully Squarespace will offer some guidance here, too, and I know that Mailchimp is already working on this so I will be watching out for that as well.

  3. Data Processing Agreement
    Squarespace does have a European Economic Area Data Processing Addendum which you can find here. They are still working on all of this with regards to GDPR specifically and I will update this post accordingly as and when new information comes out.

What to Do next?

Ideally I just want an expert to look at my business and tell me what to do!

However, it is actually illegal to hire someone to do this FOR you but you can hire an expert to advise you on what to do where. This is why larger companies now have to hire a dedicated Data Protection Officer. As for my own small business, I would just appreciate some hand-holding through the process! After much deliberation I will probably go with this service:

Marbral Advisory: GDPR E-Learning

At this point I must give a big shout-out to Jo Buchanan who is the Head of Communications at Marbral Advisory and who has been most helpful and informative on this subject in the Squarespace Circle Forum. I've requested a quote from Marbral and hopefully this is an affordable service and I can just implement what's needed and then get on with my life! :) 

P.S. Just in case you're wondering about the photo, that's the city's main courthouse in my hometown Cologne in Germany :)

Disclaimer: I am NOT a legal expert and this post does not constitute legal advice.

Are you on Pinterest?

If you enjoyed this post I'd love it if you shared it. Thank you!

Are you GDPR ready? What you need to know about GDPR & Squarespace・Kerstin Martin Squarespace Studio

Squarespace BizBox 

An exclusive glimpse inside my design studio and how to become a successful & profitable Squarespace web designer.

Ask Me Anything!

You can literally ask me anything about your Squarespace website or – if you're a web designer – about your business.


More GDPR Posts