Small Business GDPR Policy Template
Small Business GDPR Policy Template
1. Select your industry sector
2. Confirm your business processes
3. Generate your Privacy Policies
4. Our updates keep you in the green
Small business GDPR Policy Template
(1) Privacy Policies are required by law and as a result protect you from liability and (2) they allow you to inform your customers, suppliers and staff on how you use their personal information.
Personally identifiable information is a general term for any information that can be used to find, contact, or identify a person. It includes the following, but is not limited to them:
- Full names
- Dates of birth
- Physical addresses
- Any type of national identification number
- IP addresses
- Telephone number
- Screen names or handles
- Email address
- Credit card numbers
You must handle data in a way that’s in line with privacy and local laws. Hence, this means you need to implement the right internal processes, procedures and policies so your firm ensures the privacy and security of personal data. Furthermore, do know that, if a customer thinks that you are not safeguarding his privacy in a way that is compliant with the laws he or she can easily lodge a formal complaint with local authorities. Furthermore, those authorities are forced to investigate the issue. So, you could be liable, or at least have to fight the claim in court, which could be expensive and take a lot of time.
Small businesses have the most to lose when they fail to live up to their customers’ expectations on privacy given they often rely on a smaller, more regional customer base.
When writing your full small business GDPR Policy template, start with these important parts.
Identification of your firm and its role
What kind of information you gather
Here is where you will tell customers exactly what information you collect and why.
Thus, the what part is pretty straightforward e.g. their names, addresses, email addresses, and payment information.
The why part often needs some reflection and some expert input. GDPR requires you to describe the business purpose to any data processing and ensure you have documented legal basis for it. Check out our knowledge base for more information on this topic.
Hence, in this part, it is better to be too specific than to be vague. Also, do note that GDPR requires you to keep the language and structure simple so it is easily understood. The best way to explain to customers what kind of information you need and want from them is to keep things simple.
How Data is gathered
You should document how you collect information in the same clause as the types of information you collect, or you can put it in its own clause.
Therefore, this clause will change based on what kind of business you have. Just be sure to tell people how you get their information, whether it’s from them, or a third party..
Information You Share or Disclose
Most companies share, or pass on, some information as part of their business operations. For example, businesses pass on invoices with customer names on there, to their bookkeeper. Businesses also use all sorts of Cloud or SAAS tools to help them run their business. For example, a Cloud CRM tool, to help them manage their customers data and sales process. Given the cloud or SAAS tool is owned not by the firm but by a third party the data is wholly or partly shared with that third party.
Therefore, make sure you inform your users which third parties you use, so they can make an informed decision around the effect on their privacy.
Your customers have rights
Certainly, GDPR has ensured that consumers now have right when it comes to their data. One of these rights is to be able to see and change their personal information. In your small business GDPR Policy template, you must not only tell customers about their rights but also explain how they enact those rights.
Measures to protect and secure data
Customers need to be reassured on how you keep their information safe. You don’t have to go into too much detail, as that could provide information to potential hackers, but you should outline the general steps you take to keep things safe.
Make sure that what you say you’re doing to keep data safe, is what you’re actually doing.
Many countries have laws restricting unsolicited email or spam. Therefore, you have to give customers the chance to opt out of these communications. If you don’t, you could be held civilly responsible and have to pay fines.
Also, it’s just a nice thing to do. Also, if a customer bought something from you once and doesn’t want to hear from you again, giving them a way to say so helps your goodwill. You might think of promotions as a way to make money, but being nice to customers also helps you get ahead in your market.
Changes/Updates to the policy and notification about those changes
You can also put a link to your Policy on pages where people sign up, check out, sign up for emails, and in other places where personal information is collected.
- Don’t ask for more details than you need. Do not ask for a customer’s date of birth if you do not need it to help them. Less personal information means less work to keep safe and keep track of it.
- Make it fit your business. Different kinds of information are gathered by a fitness centre and an accounting firm. Make sure your small business GDPR Policy template fits your business, and the information you collect.
Our GDPR compliance software for SMEs can generate any document required by the GDPR regulation: