The 25 May 2018 deadline is fast approaching for GDPR and you’ll no doubt notice a frenzy of emails regarding this. Large organisations have their legal teams onto it but for small businesses like my own, it’s up to us as individuals to figure out compliance.
Zestee is 10 years old this year, and I run this as a small consultancy alongside a part time job. As a business owner, I still have certain responsibilities, such as understanding how to deal with accountants and tax (in the Netherlands where I am based) and submitting my BTW Tax return each quarter.
Dedicating time to learning about GDPR and what exactly I need to do has been on my “to do” list since I first read about it. I’m writing this blog post for both my own reference but also for any other small businesses who would like to educate themselves further. Overall, I think it’s a good thing that online privacy and security of our data is taken seriously. I’ve always made decisions at Zestee with this in mind so I don’t believe I will have to make any major changes, but perhaps a few small ones.
I would have thought as a new law relevant to all businesses in Europe, and those who deal with Europe, there would be some kind of official information site, but I’m having trouble finding it. If you know of one, please share! Meanwhile, here is a dynamic list of resources I will continue to add to.
To be completely clear, I have no authority whatsoever to help or advice you and your business on GDPR, I am simply sharing my own resources and journey of trying to comply with this to help other small business owners.
Wikipedia is a handy starting point to learn about any topic. Here’s a quote from their introduction and link to their entry for further information:
The General Data Protection Regulation (GDPR) (EU) 2016/679 is a regulation in EU law on data protection and privacy for all individuals within the European Union. It also addresses the export of personal data outside the EU. The GDPR aims primarily to give control to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.
It was adopted on 14 April 2016, and after a two-year transition period, becomes enforceable on 25 May 2018. The GDPR replaces the 1995 Data Protection Directive. Because the GDPR is a regulation, not a directive, it does not require national governments to pass any enabling legislation and is directly binding and applicable.
House of Tax online course
For compliance such as GDPR, or AVG as it is called in the Netherlands, the first port of call is often an accountant or bookkeeper. I’ve done a previous online course via House of Tax in Amsterdam, so when there was a post in the Amsterdam Business Mamas Facebook group about this course, I signed up. It’s called Protect Your Ass and there is both an English and a Dutch version. At time of writing, I haven’t yet watched the videos, but plan on doing so this week. I’m hoping that once completing this course, I will have sufficient information to take steps to become compliant.
Update: I have now completed this course and it was a useful walkthrough, tailored to small business in The Netherlands. A series of short videos gave all the main points and I hope I now at least understand the basics of what I need to do and am working through these step by step. Part of the course includes/included a Facebook group so if you plan on purchasing this course, perhaps just double check how long that will be active for.
I use Dropbox daily, both personally and professionally. I’m pleased to find that Dropbox not only has general GDPR information but an entire GDPR guidance centre: https://www.dropbox.com/security/GDPR
Google Drive & GDPR
I use several Google services, including Google Drive. It seems that these are now collectively called “Google Cloud”. So far, it’s bringing up the Dutch version when I search, no doubt as I’m based in the Netherlands:
UK English version: https://www.google.com/intl/uk/cloud/security/gdpr/
NL Dutch version: https://www.google.com/intl/nl/cloud/security/gdpr/
General GDPR info: https://gdpr-info.eu/
Someone shared this URL in an email about GDPR and it looks like a official website URL but it seems that Intersoft Consulting, whoever they are. That’s one of the biggest challenges right now – there is a flood of “advice” online, but who to trust? Beyond that, I need to be able to understand the information clearly, and exactly which steps I need to take. This site seems to be a useful explanation of all the facets of the GDPR in English, with an option to switch to German (Deutsch). It states…
Welcome to gdpr-info.eu. Here you can find the official PDF of the Regulation (EU) 2016/679 (General Data Protection Regulation) as a neatly arranged website. All Articles of the GDPR are linked with suitable recitals. The European Data Protection Regulation will be applicable as of May 25th, 2018 in all member states to harmonize data privacy laws across Europe. If you find the page useful, feel free to support us by sharing the project. Source: https://gdpr-info.eu
Firstly, I don’t even know what “recitals” are! This looks like a site I would need to take some significant time to read though, with a notebook handy.
**Update: I’ll leave this link here as it may be useful to someone – but I would now suggest to instead consult the ICO site below, it seems to have similar information but to be more “authoritative”.
ICO: Information Commissioner’s Office UK
A friend alerted me to the ICO, and it seems to be the closest kind of “official free information” site that I can find in English. The ICO is:
The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
They have an extensive website here with a series of checklists and questions you can go through:
GDPR for various 3rd party software:
- Google Cloud: https://www.google.com/intl/uk/cloud/security/gdpr/
- Survey Monkey: https://www.surveymonkey.com/curiosity/surveymonkey-committed-to-gdpr-compliance/
My personal checklist
Here is a brief checklist of a few of the things I’m working through personally for compliance after checking the above resources. Again, I am far from an authority on this issue, so please do your own research and consult experts – however I hope that by sharing this experience, as I have with other business challenges I’ve encountered, that we can all learn about this as quickly as possible and get back to whatever we do best!
- Creating a GDPR Impact Analysis document, analysing and documenting what kind of personal data I collect from my clients, why, how it is processed, where it is stored and for how long
- Coming up with an action plan of knowing if and what to do if personal data I keep on clients has been breeched
- Reviewing/updating my terms and conditions both on my website and for clients I work with directly
- Creating a privacy statement and looking into whether to merge with my terms and conditions
- Checking that the cookies pop up is working correctly, advising visitors to my website that my website may collect cookies of their visit – something that was already in effect in the EU, but this is a good reminder.
- Deleting any old data I have on clients that I no longer use
- Checking all of the privacy/GDPR statements for the 3rd party software I use (see above)
- Double checking the exact tax information I need to keep for 7 years
- Checking and deleting old email databases I no longer use (for example on enewsletter software)
I hope that’s been helpful. Overall, this is a time consuming process for a small business owner, but I recognise the value of European legislation that forces all organisations, no matter which size, to take online privacy and security seriously. I’ve always operated as transparently as possible and have never liked the “aggressive online marketing” techniques that some businesses use – and am glad to have law to at least attempt to control this.
Do you have some helpful GDPR resources or experiences to share? Please share in a comment below or contact me.