If you're just taking your business online, you'll no doubt have a list of to-dos as long as your arm.
When a user visits or registers on a website, they are asked to agree to the terms and conditions laid out by the site's owner. This provides businesses with an opportunity to collect data, individually tailor the user experience and improve their site's overall effectiveness. It also brings with it additional legal considerations.
EU GDPR compliance is required for any business or individual that handles user data, no matter where the website's servers are based and regardless of the size of business. It applies to all websites that offer goods or services to people in the EU, including small businesses and startups.
The definition of 'data collection' is a broad one, covering everything from storing payment and personal details, all the way to including third-party tracking cookies on your site. Names, dates of birth, email addresses, payment and shipping information, phone numbers and bank details are all examples of personal user data (but that list is not exhaustive).
Before the introduction of the EU-wide GDPR in 2018 (and UK GDPR, brought in following Brexit), many businesses took a 'nice to have' approach to privacy policies, but the introduction of this data regulation brought with it the real threat of legal action against site owners who failed to both include and operate in line with their policy.
Also keep in mind that even if you don't collect identifiable data from users, if third parties have access to user data — via APIs, for example — you will, at least in part, be legally responsible for what they do with that data.
Your business could be out of pocket, to the tune of up to £18m or 4% of annual turnover, whichever is greater. For small businesses, the latter possibility would, understandably, usually apply.
Aside from fines, the UK's Information Commissioner's Office (ICO) can also issue a number of other punishments for non-compliance, such as:
The documentation surrounding GDPR rules is long and complex, but the overwhelming majority of cases found to be in breach of the regulation have violated Articles 5, 6 and/or 32:
Personal data must be:
Personal data can only be processed:
Requires data is controlled and processed to implement: “appropriate technical and organisational measures” to secure such personal data.
P.S. If you're interested in more advice on building and growing your small business website, we have more excellent articles on the subject:
Or you can discover even more topics here.
Information correct as Feb 2022.