The GDPR is already a complicated area for many, and most people we talk to feel overwhelmed. They’re not sure what to do, in which order, and when it’s good enough – for their kind of business. They’re often also worried about the price of getting help.
The first thing we recommend is to visit the website of their national data authority. All you need to know about the GDPR, can usually be found there.
You just have to dedicate time, and be patient (if you're going to do this on your own). Unfortunately, many still struggle to understand exactly what to do, even after spending hours reading about the GDPR.
Then it's easy to resort to Google searches and Facebook groups to get answers to your burning questions. Unfortunately, there is a lot of misinformation out there on the GDPR. Some of it is just imprecise, but much of it is outright wrong.
And often, people forget that the GDPR is not the only relevant law, you also have to know about and adhere to relevant marketing laws. Read more below.
We have read research articles (written by actual research scientists) that lean on incorrect sources (e.g. referring to "gdpr-info.eu" as an official EU website), and listened to several podcasts with US attorneys who clearly haven’t read the actual law text.
Therefore, it’s crucial that you know you only rely on credible sources when working with the GDPR in your business, or that the help you rely on, do so.
If you're going to get help with GDPR compliance, ask your provider to name the sources they rely on, and compare those to the sources stated below. They should match!
First and foremost, the actual law text can be found on EUR-Lex, the European Union’s website for all EU laws: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data There you can download a copy in English or any of the 23 other official EU languages.
Next, we recommend bookmarking the EU’s website on data protection rules, which also contains several useful examples. And, finally, the website of the European Data Protection Board (EDPB), an independent European body which contributes to the consistent application of data protection rules throughout the EU, and promotes cooperation between the EU’s data protection authorities.
Several people refer to pages they believe are managed by the EU, such as the research scientists mentioned above. However, only pages with “europa.eu” in the URL, are official pages from the EU. The website gdpr-info.eu is an example of a site many believe is owned and operated by the EU, but is in fact managed by a privately owned consulting company.
For those in the US, we recommend the website of the ICO – the UK’s data protection authority. Here you’ll find useful guides, tools, assessments and more, also specifically tailored for small businesses. If you understand Danish, Denmark's data protection authority has an informative website. They also regularly publish GDPR related verdicts and decisions that are worth being aware of.
Many of the questions we see in Facebook groups are related to marketing, e.g. newsletters, Facebook pixel, Google Analytics, "freebies" or opt-in material/campaigns and similar.
Remember, if you do any kind of marketing, you also need to adhere to marketing laws, in addition to the GDPR, if it involves the use of (processing) personal data.
Here you need to find out what laws are applicable to you. In Norway, for instance, we have the Marketing Control Act. The UK's ICO also has good information on this topic, read more here: The rules around business to business marketing, the GDPR and PECR
If I'd like to send out newsletters (that, in Norway at least, is almost always considered to be marketing), I need to ensure that I obtain contents that are valid both from a marketing and a GDPR perspective.
Some people think that "B2B" (business-to-business) marketing is exempt from the GDPR, because it's "business data" and not "personal data". This is wrong. As long as personal data is involved, like the name or email address of someone you can identify, the GDPR applies.
This means that a company/business email address in the format of firstname.lastname, or simply with initials, is considered as personal data in the GDPR. This is also the case in most marketing laws.
Which means that you cannot send marketing to such a person, without first getting consent from that person.
If you're completely new to the GDPR, our first (and strongest) recommendation is to learn the basics. You cannot outsource everything around privacy in your business.
You, as the business owner, need to have some basic knowledge, as it is you who will have to answer to the authorities in a breach or to a complaint made about you and/or your business.
If you're pressed on time (as most of us are) and want to spend your time on your actual business (as most of us want to), feel free to outsource the practical things around getting compliant.
This could be to help you get an overview of the processing you do of personal data in your business, where personal data is stored, if the data has been secured (good enough), assuring you only use GDPR compliant processors, helping you write a GDPR compliant privacy notice for your website etc.
And, of course, when selecting a vendor, do make sure that they know what they're doing. Cheap advice can quickly become expensive advice, if you suddenly face fines for not being properly compliant.
PS: And we, of course, only rely on credible GDPR sources in our work (along with the experience from working with close to 100 GDPR assignments so far).
GDPR explained so you actually understand it - tailored for online business owners! Submit the form to get notified as soon as we launch our mini course.
Your personal data will be processed only for sending you more information when it's ready. Opt out at any time. No spam!