GDPR: the simple version

After the GDPR dust has settled, my clients divided in three main groups, those who went headless chicken, even going so far as to employ expensive consultants, those who adopted the simple, pragmatic approach (possibly employing me as an inexpensive consultant) and thirdly those who went ostrich.

This article is mainly aimed at that third group.

GPDR is around 15 months old now and there are two main conclusions to be drawn. Firstly, the Information Commissioner’s Office (ICO) has great big international teeth but they are mainly for biting the big headline-grabbing abusers of data, Facebook and the like—though whether a €100m Euro fine against Facebook can be described as a painful bite rather than an irrelevant tickle is a discussion for another day—and secondly, that the procedures for small businesses like yours are simple and not onerous.

I have recently written out a procedure for a client so I thought I would share it here.

GDPR and the small business

GDPR applies to you in respect of the personal* data you hold on prospective customers, customers and suppliers whether digital or on paper. The major implications are;

1. That data should be kept safe (ie if on a computer password protected, if on paper locked up.)

2. You need to assign a responsible person as the Data Officer ( probably you). You need to publish their contact details.

3. You need to put in place a procedure whereby people can

a. Find out what personal data you hold on them
b. Correct that data if it is wrong
c. Delete that data if they request it


4. You need to publish that procedure (policy), and your website is a good place to put it. You also need a private internal document that outlines your policy on all these points.

5. If any of your staff or helpers have access to that data then you need a procedure for changing access should they leave (ie change passwords, destroy data if on their devices, return keys etc.)

6. You need to establish, formerly, if you need to keep certain elements of data and for how long.

a. How long do you keep personal details after a prospect, customer or supplier ceases their relationship with you
b. Whether you keep credit card or payment details (my advice: don’t)


7. If your website doesn’t hold any personal data about visitors (which is true for the vast majority of the sites I build) nothing needs to be done about this.

8. Cookies are placed on a visitor’s computer by WordPress and Google and whereas formal consent is not needed as this data is anonymous, it is wise to mention it your published privacy policy**.

9. In the highly unlikely event someone makes a complaint against you to the ICO, the ICO will try and establish if you have these procedures in place and if you don’t will require you do so. A fine is the ultimate outcome but only if you ignore what they say.

* Personal data includes the obvious, name, email address, address etc but also anything that could directly identify an individual.

** It is my policy not to place those intensely annoying cookie consent notices on my website as their presence generally indicated that the visitor’s personal data will be used for advertising purposes and that is almost never on small business websites.