GDPR Checklist For Small Businesses
9 Steps to be GDPR Compliant
Welcome to my brain dump of all things GDPR – I’m a stickler for having all the i’s dotted and the t’s crossed. Recently I’ve been networking with lots of lovely small business owners in my local area and I often take their card and have a peek at the website. They look great, but my eye for detail notices that they mostly don’t have any privacy policy or cookie banner on their website. And these are just two parts of being GDPR compliant. I wanted to help my fellow small business owners by writing this all down to guide them in the right direction.
Before we deep dive into my 9 steps to being GDPR compliant, let’s look at what GDPR is. Yes I know it’s another acronym to add to all the others in our lives, but here we go.
What is GDPR?
So it stands for General Data Protection Regulation and came into force in May 2018. Its remit applies to any business whose customers and/or website users are in the EU. Following Brexit, the regulations were transferred to UK law, therefore they still apply. Being an EU driven concept, means that large global tech suppliers don’t offer GDPR compliant websites and services as a default. It’s likely that you’ll need to update settings or add features to achieve this. However more and more US states and other countries are now putting in similar regulations, so the good news is that this is becoming increasingly more straightforward.
The overall concept of GDPR is that as an individual, your personal information is protected by businesses using it and you are giving consent to the type of data they may use. This starts with general contact information like your contact details so name, address, phone, email and possibly payment details, and goes as far as the sensitive information a business or organisation may use to provide a service, like weight, height, age or medical details.
Another key point to bear in mind, is that GDPR applies to individuals and not businesses, but the complication here is that an individual could be identified by details like their name in a business email address. Plus you’ve always got the dilemma of whether a mobile number given to you is their business or personal number. Therefore, it’s best to treat all data as if it applies to an individual.
As a business owner, complying with GDPR, shows that you are taking responsibility for security and confidentiality of data and respect your clients privacy.
So why do you need to bother with GDPR as a business owner? Well the most important reason is that it is a legal requirement. The consequences of not putting GDPR best practice into place, is that you could get fined 1.4% of your turnover.
There is one other important reason – people are way more knowledgeable about data protection these days. Thus by showing you are GDPR compliant also shows your clients that you care about their data too.
So let’s get started with the list. There’s a lot to cover and to help you make notes, make decisions and tick things off, I’ve created a workbook. Plus it has lots of useful links to help you find specific actions on the most popular website platforms, like WordPress, Wix, Squarespace and Shopify.
Step 1: Review the data you hold on your customers.
Start by reviewing the data you hold on your customers.
What information do you hold?
Do you just hold basic contact information like names, email addresses and phone numbers or do the nature of your business services mean you need to hold sensitive information? For example if you’re a massage therapist you probably hold contact information as well as sensitive information like medical history.
Why do you hold this information? According to GDPR you should only retain the information you need to provide services to your client. Only keep the bear minimum. This means as a business service provider you may have your client’s contact details and address so that you can send formal invoices, but you wouldn’t need to have their date of birth. However as a massage therapist, you would need to keep sensitive data about your clients health to comply with your industry regulations.
Download the workbook, to record this.
Step 2: Where is this data held?
You need to consider all the places you hold your clients data. Here are some examples:
- Written down in a notebook, locked away when you’re not using it.
- On your email system as contact information e.g gmail, google contacts, iphone
- On your email marketing / newsletter system.The most common providers are Mailerlite, Mailchimp, Convertkit, ActiveCampaign
- In spreadsheets or online documents where you have provided proposals, invoices, general communication letters
- Accounting systems and payment services where you send invoices from or process payments. (Like Zero, QuickBooks, Stripe)
- Ecommerce website – Woocommerce, Shopify
- Customer Relation Management system
- Training system like Thinkific, New Zenler, Kajabi, Thrivecart
- Graphic or image systems like Canva, which you may have used for proposals or invoices.
If at all possible, find out where in the world the data on these third party systems is held. Ideally it is in the UK. However it’s not always possible to control this, so it may be within the EU or further afield.
Download the workbook, to prompt you – I’ve included many of the most popular systems used by small business
Step 3. Security
Now that you have a list of where your client data is, you need to ensure that the client data is as secure as possible. So always make sure you are using strong passwords and activate 2 factor authentication if it’s available. Use passwords or pin numbers for accessing devices like tablets, laptops and phones.
If you have a number of employees working in your business, everyone should have an individual user account with a password – you really shouldn’t be using shared accounts. Additionally, as a business owner you need to prove that only those employees who need access to fulfil their job, have access to customer data. Using this process also has the benefit that if they leave, you can cancel the account so that they no longer have access.
Download the workbook, to record this.
Step 4. Register with the ICO information commissioner’s office
The next step is to consider who is responsible for keeping the data safe. If you’re a sole trader, that’s easy – it’s you. However if you have employees you may need to consider assigning a data controller role to your business. Another aspect to this, is to make sure any freelancers comply with your data policy by having a data confidentiality clause in your contracts.
If you are based in the UK, you need to be registered with the ICO (Information commissioner’s office), regardless of whether you have a website or not. So what is the ICO? This is the organisation that sets the regulations regarding personal information in the UK and polices it – so they will investigate data breaches and serve fines. It sounds scary, but they are here to help. Their website is full of useful information and guides to help.
The ICO register is publicly searchable, so it’s important that you follow this step. Because future clients may search it to check you are on it. It only costs £35 to £40 per year for a small business, which is a relatively small amount in the grand scheme of things.
If you aren’t in the UK, you can search for the data protection authority in your region and find out what they require in terms of registration.
Step 5. Create a privacy policy (notice)
Right, now that you’ve done the research and understand what data you hold, which systems it’s on and where they are. It’s time to create a privacy notice. These are sometimes referred to as privacy policies – the difference between the naming convention is that policies are written by lawyers, and privacy notices are written by a non legal person. However the reality is that they are used interchangeably.
Ok, the privacy notice / policy is a document that describes what data you hold on clients and website visitors, what you do with it, why you have it and how long you keep it. Fortunately you don’t have to write it yourself from scratch – there are lots of templates if you search on the internet. Indeed the ICO have templates and guidance themselves – they even have a privacy policy generation tool – see I told you they aren’t that scary.
However you should bear in mind that this is a legal document. If you handle sensitive client data or data on children there are additional requirements. If you are a member of a professional body, they may have a template and guidance for you to follow. You may also want to get legal advice yourself.
The final part of this step it to add the privacy notice and links to your website. Usually this is a webpage called privacy-notice and there is a link in the website footer (bottom of every page) and a link next to the email / newsletter sign up section if you have one ( see my one in the section to download the workbook as an example)
Download the workbook, to more information and links to how to add this to your website on WordPress, Shopify, Wix or Squarespace.
Step 6. Does your website use cookies?
Now you need to work out if your website uses cookies. These are small files that websites leave on devices to help the website work better, capture data and indeed use for advertising purposes. If your website uses ecommerce or google analytics – it will almost certainly use cookies. Again you don’t have to be a computer expert to work this out, there are lots of tools out there to scan your website. One of my favourites is the one by cookieyes, that doesn’t require you to add an email address, because some ironically do require you to share it.
Download the workbook, for the links for this.
Step 7. Website Cookie Banner
If your website does use cookies, you need to show a cookie banner on your website. Cookie banners have been around for much longer than GDPR ( since around 2011 it turns out). Over the years they have evolved from being a banner that tells you the website uses cookies and your only option is to click Yes or not use the website. However in the last few years, GDPR requirements have changed – meaning you have to tell the website user what type of cookies the site uses and give the user options to consent or decline that type of cookie ( unless it is essential).
Luckily no one is expecting you to code this yourself – there are a number of options to easily implement a cookie banner depending on your website platform.
For Wix and Shopify, there are settings you can enable for the cookie banner to appear – however these won’t be set by default.
For WordPress, there are a host of plugins to allow you to use cookie banners – my favourite is CookieYes – it has a free plan and you can change the colours to suit your branding. Other cookie banner providers are cookie bot and cookie notice. If you already have a cookie banner enabled – make sure you have configured it to give your website visitors options on which cookie types to enable. Often this means you need to create an account with the cookie banner provider.
Download the workbook, for links on how to do this on WordPress, Shopify, Wix and Squarespace.
If you use Google Ads for your business, I have to tell you that this adds a whole load of more requirements for the cookie banner. It will need to use content management consent as well. I’ve noticed that often the cookie banners that work with this need the paid plans – you’ll need to follow the specific instructions to comply with this.
Step 8. Cookie Policy or Cookie Notice
The final part of the cookie / privacy policy notice jigsaw, is that you need to create a cookie notice or policy. One reason I love cookie yes, is that it can generate a cookie policy for you with all the techie details about the cookie for you. Otherwise how are you supposed to know that the google analytics cookies are called _ga and _gid?
You’ll need to create this as web page and include a link in your privacy policy and your website footer.
Download the workbook, for links on how to do this.
Step 9. Managing Email Marketing Lists
Finally if you send out newsletters, you need to be aware that GDPR also applies to email marketing.
Subscribers must give consent to receive marketing emails ( i.e newsletters selling products or services) and they must have an easy way to unsubscribe. You also need to display your business name and a valid postal address.
As a small business this has a number impacts for you.
Firstly, it’s a good idea to use email marketing systems like Mailerlite, Mailchimp, ActiveCampaign, which have the unsubscribe option at the bottom of every email sent and have a process for people to sign up to marketing emails.
Next, it’s best to get your clients to sign up to your newsletter themselves. You can do this by having a sign up or opt-in box on your website – whether it’s at the bottom of the page in the footer or works as a pop up. You can also create a page just for email marketing sign ups. If you don’t have a website, most email marketing systems give you the option to create a landing page for sign ups.
The important point is that you can’t just add people to your email list without consent and you need to bear in mind that most email addresses contain personal data – so you also can’t ignore this rule, if you think you just have business information.
Bulk sending emails from a normal email account is not the right way to provide email marketing – mainly because it’s not easy for someone to unsubscribe from it. To add to this, a number of email providers like Google and Yahoo have put protections in place during 2024 to block or put emails into spam that aren’t authenticated. While you can authenticate business email addresses belong to your domain, you can’t authenticate generic free email addesses that end in gmail.com or yahoo.com for example.
Of course you are still allowed to send email to people – a few emails about specific items like a training course they’ve bought from you or following up on a meeting is fine, but you can’t send in bulk.
Next Steps
I hope this has helped you on your journey to GDPR compliance – maybe you already have some of the steps in place and could tick those off straight away
If you haven’t already, download my GDPR workbook to help gather your information together and get the direct links to take action.
While I’m not a lawyer and cannot advise on the content of your privacy policy, I am here to help, so if you need further help with updating cookie banners, adding privacy / cookie policies or linking your email marketing system to your website, you can book a one to one session.
Booking one to one assistance:
This is for you:
- If you have a website on one of the following platforms:
- WordPress
- Wix
- Shopify
- Squarespace
- You have access to make changes to your website
- Your website is up to date in terms of latest version ( for WordPress this applies to the WordPress, theme and plugins)
- You know where your website is backed up and how to restore previous backups
- You have prepared the privacy notice / policy wording in advance of the call.
During the zoom call you have the option of me talking you through making the change or giving me access to make the change.
If you need help, but are not sure about the above points, please email sarah.hobbs@flowgrowsocial.com with your contact details so we can arrange a call to discuss a plan to update your website as well as add the cookie banner, cookie policy and privacy policy.
© Sarah Hobbs T/A Flowgrowsocial 2024-2025 The information contained herein is provided for information purposes only; the contents are not intended to amount to advice and you should not rely on any of the contents herein. We disclaim, to the full extent permissible by law, all liability and responsibility arising from any reliance placed on any of the contents herein.