Does the GDPR affect your online business?

On 25th May 2018, the European Union’s General Data Protection Regulation (GDPR) will come into effect. It’s a wide-ranging privacy law, and comes with maximum fines for non-compliance of up to €20 million or 4% of annual turnover.

The new legislation is primarily aimed at keeping big businesses in check, reigning in their ability to collect data on millions of people without their consent. It’s also about giving power back to consumers.

But if you’re a small business, don’t just assume you won’t be affected – even if you’re not based in the EU. While it’s true that European countries will be most impacted, the GDPR covers any company that collects personal information about citizens of EU countries.

So, even businesses and freelance consultants in North America could be affected if they collect certain kinds of information.

Say you live in Canada but provide life mentoring services to clients around the world, including customers in Ireland. If you were to record any of those conversations with your Irish clients, or even take notes about them, you may well be affected by the law.

What Does The GDPR Cover?

If you collect personal data on EU citizens, you need to take some extra steps when it comes to the way you manage that information. ‘Personal data’ can mean a lot of things:

  • Name, address, date of birth
  • Gender, sexual orientation, religion, ethnicity
  • Email address
  • IP address
  • Geolocation
  • More here

Many small businesses might be collecting more of this data than they are aware of. All the information you receive from your customers that you write down or otherwise record – their bank details, information about their jobs or partners, their name and email – all count as personal data.

The regulation takes a softer approach to small businesses, so you’re less likely to be scrutinized. All the same, your business will be affected if:

  • You regularly process personal data
  • Fail to report a data breach where personal data was stolen or exploited within 72 hours of the breach
  • You omit to provide information to customers about what you will do with their data
  • Refuse to hand over data you hold on a customer when they request to see it (a ‘subject access request’)
  • Refuse to delete data you hold on a client when asked to (AKA the ‘right to be forgotten’)

How you can get GDPR-ready

Here are some simple steps small businesses can take to become GDPR-ready:

  • Review how you store client information – make sure it’s in a secure, password-protected environment like Dropbox, Google Drive, SharePoint, or even a folder on your computer
  • Write up a policy document which you share with clients explaining what you do with their data. There are many GDPR-ready templates available online to download
  • Share a similar document with your employees
  • Delete any data you hold on customers that you don’t really need

Being GDPR compliant will involve a little work now, but will improve customer trust in the long run, and will also give you confidence that you’re not in violation of any laws.

Previous ArticleNext Article
Len is a tech and business writer who covers small business and startup advice and has appeared in many print and digital publications. He lives in London, UK, where he's also a sub editor on a national newspaper. He loves to travel and has lived in France, Spain, Senegal and Rwanda.

Which regulations affect your small business?

Running a small business and trading online? You might not think national and international laws and regulations are something that apply to your situation. Regulations seems like something for big companies – and anyhow, who’s going to care about your small business anyway? Quite a few people, in fact. In this article we will take a brief look into small business regulations.

Small Business Regulations

Just because you’re small, don’t assume you’re not affected by legislation. You’re less likely to be under the media spotlight if things go wrong, but failing to comply with laws could result in serious penalties that could derail your business.

Every country has its own small business regulations, and online entrepreneurs trading in the European Union, for instance, tend to have to deal with more rules than their North American counterparts. That said, it’s only a question of degree – most countries regulate small online businesses in the ways we look at below:

Payment Card Industry Compliance

Whenever you take payments for your products or services over the internet, you need to ensure that you are compliant with international Payment Card Industry (PCI) standards. If you use any of the traditional online transfer payment methods, such as SWIFT, STRIPE or even PayPal, you’ll likely be covered. But, make sure you use an accredited and well known service.

Customer Data Protection

Most countries have various different laws covering customer privacy. At a minimum, it’s expected that:

  • You don’t collect any more data than is strictly necessary
  • Customers are made aware when you collect data about them
  • Data is protected in a secure, password-protected environment

You should also know that, as of May 2018, the European Union’s General Data Protection Regulation will be coming into effect, which requires businesses to go even further when protecting customer information. If you collect any kind of confidential information about your customers, you should prepare yourself for this law. Be aware that the GDPR has enormous fines for non-compliance.


If you’re selling any kind of advice over the internet, it’s sensible, and in many countries obligatory, to be covered by professional liability or errors and omissions insurance. If you give advice which is shown to have caused a damage to your client – such as them losing money or making a poor decision – this kind of insurance protects you.

Industry-Specific Certificates

If you’re offering medical advice over the internet, you should have a medical certificate. The same goes for other professions such as engineering, law or accountancy.

Terms And Conditions

Online service providers and eCommerce businesses should have a lawyer look through their terms and conditions. When you’re providing training, guidance or any kind of product over the internet, you should provide clients with terms and conditions.