What Should I do as a Small Business in the new Privacy Environment?

What Should I do as a Small Business in the new Privacy Environment?

GDPR famously came into effect in 2018 but since then, CCPA in California and PIPEDA in Canada have both changed the privacy landscape further in North America. Now more than ever, retail owners have to be prepared to deal with customers who have questions about privacy. More specifically, questions regarding the collection of their personal information , what retailers intend to do with it, and how they will protect it from misuse/data breaches.

The best thing you can do right now is start on the process so that you protect your reputation with customers and be prepared when the US or Canadian government changes local privacy regulations again. After all, regulators and customers everywhere would rather see that you have a plan and that you’re working on improving rather than giving up or saying “it doesn’t apply to me.”

Rome wasn’t built in a day

For many small businesses, even knowing where the data of their customers and other people is stored is already hard. This is especially true nowadays with so much data being used and so many integrated systems. For most of us in North America, we’re just starting to consider how best to handle privacy in our day-to-day operations.

To make it easier, we’ve listed 8 basic steps for you below to help you get started on your privacy regulation journey within the context of PIPEDA, GDPR, and CCPA (download our GDPR checklists). These 8 steps are not necessarily enough for compliance with the different privacy regulations but they are a step in the right direction. Only you can decide the data risks you are willing to take with your business but hopefully this will help you clarify what those risks are.

1) Do a Privacy Audit for Personal Data

Download our checklists to make a detailed spreadsheet or summary of where you keep and collect personal data in your business.

2) Check if you currently handle Personal Data Outside of the Country

If you do already handle sensitive Canadian, American, or European personal data, we would recommend that you get further legal assistance as the different policies (PIPEDA, GDPR, and CCPA) already require that you comply. Here is a good comparative guide you can reference to understand the differences between each act.

3) What reason(s) do you have for collecting Personal Data?

Determine what lawful basis you have to collect personal data. Consent? Contract? Legal Obligation? Legitimate Interests?

Remember that you will need to list all of your reasons or lawful bases in the published privacy policy of your web site. Your lawful basis is the legal reason why you can collect and keep personal data so be cautious to think through what you choose or ask for legal advice on this. The different privacy policy regulations require that you explain why you chose to change your lawful basis should somebody make a complaint against your company. 

4) Review existing data and delete any unwanted data

This is probably the most painful part of this exercise. If you have been patiently collecting customer or lead data for years, you will need to make the difficult decision to determine as to whether it is necessary for you to keep all of your existing data. In some instances, you may find that you have been collecting data for years that you never use. In others, it may be that you have some concerns about the source of a list of leads you received in the past. Whether you decide to keep the data or not, it is important that you are aware of what you have so that you know the risks.

5) Update company policies and agreements

Spend some time reviewing all of your existing policies and agreements but especially your privacy policy and your terms of service. If you don’t have either published on your web site yet you’re not alone as many small businesses don’t realize that existing US and Canadian regulations require privacy policies. Now is a good time to have one drafted and added to your site so that you comply with current local requirements and other regulations on this issue.

Remember that the point of these different policies was to make privacy handling more transparent and easier for the average reader to understand as pages and pages of legalese defeats the purpose of any of the new regulations. Depending on the industry you’re in, you will want to have a lawyer look over your policies and agreements but if you’re a small retailer simply looking for a basic privacy policy, you can consider using the free policy generator offered by Shopify or iubenda which has free and paid versions (click for discount code) to post on your web site.

It’s also a good idea to let your email subscribers know whenever you make major revisions to your privacy policy although we would recommend that you add these updates to your regular email updates to ensure the best open rates and visibility.

6) Revise company processes and suppliers

Moving forward you should only gather personal data you need and make sure you have lawful grounds to process it.

Add and document consent wherever possible in your business processes. Consent has to be freely given, specific, informed and unambiguous (pre-ticked boxes aren’t allowed) on all of your forms (digital or paper). For email marketing, use reputable services such as MailChimp that are legally compliant so that subscribers are able to unsubscribe at any time.

7) Review all 3rd party processors and sign Data Processing Agreements (DPAs)

It’s also important to consider the privacy practices of your suppliers if you share any data with them that contains personal information. Be understanding that many North American businesses and most small businesses aren’t ready for updated privacy regulations but just make sure that your key partners are making efforts to improve how they handle privacy in their operations. If you’re sharing data with large processors such as Google Analytics, Facebook or MailChimp, you should sign the Data Processing Agreements (DPAs) or review the privacy settings they have for customers that share personal data with them. We’ve listed a few key processor DPAs below:

MailChimp

Google Analytics

Facebook

8) Review your company data security

You cannot have privacy without security. While there’s no such thing as 100% security, every business should review who has access to company data and whether current security settings and back-ups are sufficient.

What we’re doing at TAKU Retail

Like so many of you, we too are doing our best to try to meet ever-changing market expectations. And we’ve made the conscious decision to move towards a higher standard of privacy management so that you can feel confident about how we operate at TAKU Retail POS. To do this, we have recently updated our privacy policy, added consent options to our web forms and our web site cookie handling.

retail privacy policy

This post is an updated version of an original post published on the ACE POS retail blog.

You can join our beta waitlist here. In the meantime, subscribe to our blog for more retail tips and strategies.