Many small business owners think that data privacy is something only big companies need to concern themselves with. Others think it is something the EU dreamed up and if they are not based in the EU it is nothing to do with them. Some imagine that if they are in the UK, that Brexit has swept, or will sweep all of this way.
It may surprise you to know that 71% of all the countries in the world have some form of data privacy legislation with a further 9% with draft regulations working their way through their legislature. In fact only 15% of countries have no data privacy legislation or draft legislation of any kind today (down from 19% a year ago). And the missing 5% nobody knows but that is mostly failed states or rogue states along with countries such as the USA or Canada where there is on National legislation – but multiple state level rules. Source: UNCTAD's Data Protection and Privacy Legislation Worldwide
It is highly unlikely you are working from a country with no legislation. And if you work with clients in other countries, it is equally unlikely they will be in a country with no legislation.
What does this have to do with you?
It is true to say that many small businesses and the people who serve them are oblivious to all of this and others are aware but take the view they are too small for any enforcement agency to bother with or trace. And it is true, as a matter of practicality, that the chances of you being audited or fined are incredibly low in some countries (and not so low in others).
So why worry?
In a world where criminals are moving from robbing banks, houses, and stealing cars, towards cyber crime you need to be aware that your customer data is being targeted. Once the targets were banks and organisations with big mailing lists and data bases. You hear all about the most spectacular hacks and data breaches fairly frequently. But as they tighten their defences and build increasingly more sophisticated protections around their data, the criminals are moving down from the larger businesses, to the middle sized ones and on to the small.
And you don’t have to be a mega corporation to have an entirely valuable mailing list, or customer list with bank details. Many of us Micropreneurs are trading from our laptop with systems, websites and mailing lists that present a juicy target for thieves. Our laptops and smartphones are often stuffed full of easy to access data – and we rarely take the time to properly secure that data. In fact we often log on from shared wifi points without securing that data at all.
Why would anyone want that data?
In a digital world personal data represents cash. Hackers collect information we publicly share on social media (and there’s a surprising among of that - check out How Mush Would You Sell Your Social Media Data For) and combine it with information stolen from you to steal identities, make false credit applications in your customers’ names and worse. Data with medical information, financial information, ID data or children’s data is the most highly prized.
It is easily collated with other thefts, public records, and your lost data could put your customers at risk, or provide the final piece in the puzzle that makes them vulnerable to fraud and theft.
High net worth individuals, and children’s data are highly sought after and is regularly auctioned on the dark net.
How many customer and prospect records do you have?
Let’s imagine for a moment that each record has a nominal value of $100.
How much is the information worth?
People trust you with their information
Let’s imagine for a moment that every prospect leaves $10 with you and intends to come back and collect it later. Let’s imagine that your customers each leave $100 with you and trust you to give it back when the time is right.
How much would you have if you put it in cash on the table right now?
Let’s imagine you decide to leave the doors and windows open and walk away leaving all that cash on the table. Would you do that? Probably not, because you’d worry that someone might take it and you would then have a very difficult conversation with the customers whose money you were holding. And you do know that no insurance company in the world will cover you for loss if you have not bothered to lock the doors and windows and put that money in the safe. It’s pretty much the same with data really.
Virtual value in a real world
If you think of personal data as money you will set yourself on a data privacy journey that makes sense to you and your customers.
That means:
- Don’t take their money without their permission unless they signed something saying you could take it regularly without coming back to them.
- Don’t assume you can use other people’s money just because you want to or need to
- Don’t mix their money up with yours – it is not yours, you are simply looking after it
- Don’t let other people have easy access to stealing that money
- Don’t send their money abroad unless they know this is the plan beforehand
- Keep their money secure and don’t let random people play with it
- Give them back their money when they ask
- Keep proper records of who has accessed their money, when it arrived and when you gave it back
Now it is not quite that simple in the data privacy world but if you ran a search and replace on this article and changed money to data you’d be a long way towards complying with the basics of data privacy wherever you are in the world. It’s a matter of common sense and courtesy apart from anything else. So if you are in one of those places where data privacy only applies to really big companies (and you’d better be sure about that) why not be responsible anyway.
Imagine having to explain to a client that they got hacked because nobody personally made you take care of their stuff! It’s not a great reputation building conversation.
Who is responsible?
In most countries the person ultimately responsible for data security is the person who decides it needs collecting from the customer. A person can be an organisation or an individual if you are a sole trader. It is that person’s job to ensure not only that it is collected for the right reason in the right way, but properly secured and only shared in accordance with appropriate laws and shared taking security into account.
In an increasing number of countries the person viewing, editing, saving or using that information is separately legally liable for that data. In the case of any data going in or out of the UK or the EU (and that means being viewed by someone in these areas and then by someone out – it does not have to physically move), this can only be lawfully done with the right contracts and data processing agreements in place.
Why didn’t somebody tell me this before?
The chances are that somebody did try to tell you, but they used such a lot of jargon that you stopped listening long before you got to a useful point. Data Privacy law is about as exciting as Tax law and people in the compliance area seem to delight in making it all as technical and boring as they can.
And if you google your country’s data privacy laws (or use the link at the beginning of the article) you may find yourself wishing you never asked the question! It’s not really that tricky but you wouldn’t think so from how it is explained.
Are you working in a different country to your clients or team?
While you are there check out the laws in the countries where most of your clients come from – that will give you some idea of what they expect from you. And the laws where your virtual team is based. Hopefully they will be sensible enough to be at least aware of those – but it is your job to tell them how to handle that data.You really have two choices when you are
trading across borders (which you are even if you never leave your back bedroom).
- Figure out the laws that apply to you, where you are
- Figure out if any of your customer or prospect data is covered by EU or UK laws that apply to you because of where you customer is (yes I am not making this up)
- Figure out which laws apply to your team
You would not have to be a genius of data privacy law to realise that you will be changing standards every time you take on a prospect or client in a new country, or a new virtual team member. The people who write this stuff are not really up to speed with how we work and how truly agile we are!
What made sense to me for my business, and may well make sense to you for yours, is to apply the toughest standards from end to end. That meant once I had got that sorted it didn’t matter where anyone was or moved to, I did not have to worry.
The toughest standards in the world are currently from the EU. If you go with that standard in most countries in the world you will be more than fine.
You’re the boss, it's up to you.
How do you get on top of it all?
If the thought of reading all that stuff makes your brain freeze – don’t worry. If you understood this article (and I am sure you did) then you will have no trouble figuring out what to do using the KoffeeKlatch online GDPR programme with group support* to top you up on those moments when it doesn’t make complete sense.
It’s a ‘see one do one’ programme. This means you learn and do at the same time. We know you are way too busy to spend a lot of time studying and then have a massive to do list! So at the end of each module you will be one step closer to properly handling the personal data that flows in and out of your business.
About Annabel
Annabel Kaye is the founder of KoffeeKlatch. She loves to explain the small business legalities you need to handle in language we can all understand. She is a professional speaker, contract writer, and GDPR support specialist – all totally focussed on getting away from the jargon and making it work for the way you work today.
*Note: this is an affiliate link and will give you a 10% discount on your purchase.