GDPR for small businesses: Why is it important & how to comply?

In this blog post, we'll cover:

• What is GDPR?
• Basic GDPR terminology
• What is the difference between personal data and sensitive personal data?
• How does GDPR apply to small businesses?
• What are the differences between the UK GDPR and the EU GDPR?
• What is information consent, and why is it important?
• What are the legal obligations of a small business towards GDPR?
• What is a data breach, and how can you prevent one from happening?
• What is Professional Indemnity Insurance, and is it necessary?
• How do you choose between outsourcing and in-house GDPR compliance?
• How does GDPR affect different types of businesses?
  
  

What is GDPR?

The GDPR (General Data Protection Regulation) was created to strengthen EU residents' rights and offer them greater control over how businesses process and use their personal data. GDPR stands for the General Data Protection Regulation, which was passed by the European Union in May 2018. 

GDPR is a regulation that applies to businesses that use the personal data of customers for specific targeting during digital marketing campaigns and other purposes. If you run a small business in the UK, the GDPR law impacts you—and you'll need to be aware of a number of things.

Let us start with a glossary of GDPR terms before moving into how GDPR benefits and impacts small businesses.

Basic GDPR terminology

This is a list of key GDPR terms, definitions and abbreviations used while discussing GDPR. As you begin your GDPR compliance journey, it is important that you understand and remember them.

Personal data

Personal data includes any information about a living person who can be identified. Personal data is made up of several pieces of information that, when put together, can be used to identify a specific person.

Sensitive personal data

Special kinds of personal data, known as sensitive personal data, are subject to additional safeguards. In general, organisations must have more compelling reasons to process sensitive personal data than they do with "ordinary" personal data.

Anonymous data

Some data sets can be changed in such a way that no persons can be recognised (directly or indirectly) from them by any means or by any person. It is a technically hard process to ensure that individuals cannot be identified.

Pseudonymous data

Without a "key" that permits the data to be re-identified, some collections of data can be changed in such a way that no individuals can be recognised from them (directly or indirectly). Coded data sets used in clinical studies are a good example of pseudonymous data.

Data processing

The term "processing" includes a wide range of operations. It basically refers to anything that is done to or with personal information (including simply collecting, storing or deleting this data). This term is important because it indicates that EU data protection law will almost certainly apply whenever an organisation handles or affects personal data.

Controller

As compliance requirements under EU data protection law are principally imposed on controllers, the term "controller" was given special importance in the directive. 

What is the difference between personal data and sensitive personal data?

While personal data is any piece of information that may be used to identify a live individual with some degree of precision, sensitive personal data refers to a collection of "special categories" of information that must be handled with extreme caution. 

Sensitive personal data should be kept separate from other personal information, preferably in a secured drawer or filing cabinet.

It should only be maintained on laptops or portable devices if the file has been encrypted and/or pseudonymised, as with personal data in general.

What are the key principles of GDPR that apply to small businesses?

GDPR is made up of a few key principles that guide your business compliance efforts. These principles focus on specifying the depth of data protection businesses must maintain and structure their policies around. Here is a look at each of these values and what they mean:

1. Communication

Always use plain language. When you request information from your customers, let them know who you are. Explain to them as to why you are processing their information, how long it will be maintained, and who will have access to it. Terms & conditions and privacy policies on your website must be basic, transparent, and easy to comprehend, with no legal jargon.

2. Consent

One of the legal bases for data processing is consent. Consent should be provided by clear affirmative action from a data subject before you begin processing their data in any way. If a customer withdraws their consent, you must legally delete their information from your database.

3. Lawfulness, Fairness and Transparency

This concept has three parts:

1. • Lawfulness means that personal data can only be collected if there is a legal reason to do so. Additionally, all processes used in relation to the data of subjects must comply with the regulations of the GDPR.
   • Fairness means your usage and storage of a subject's data must match the way it was described to them. 
   • Transparency means data subjects must be made aware of exactly what their data will be used for and who it can be accessed by. This information needs to be communicated in clear and plain language.

4. Accessibility

Your customers have the right to ask you about the information you have stored on them. Although this is not a new right, businesses must now reply within one month and cannot demand a fee from the customers for asking this.

5. Portability

Your customers have the right to and can obtain a digital copy of their personal data to use in any way they see fit, including switching service providers.

6. Warnings

If there is a substantial risk to customers regarding their personal data or sensitive personal data, notify them about data breaches. Certain forms of data breaches must also be reported to the appropriate supervisory body.

7. Erasure

Customers have the right to request a business to remove all stored personal data and sensitive personal information about them. An exception to this is if your organisation has to maintain the information for legal reasons, such as tax purposes, which are usually government organisations.

8. Profiling

If you use profiling to process applications for legally binding agreements such as loans, you must notify your customers and ensure that a person, not a machine, checks on the process and follows up with the customer. If the application is denied, give the customer the opportunity to appeal the judgment and ensure that the profiling is done on a legal basis that is proper.

9. Marketing

Your customers have the right to opt out of direct marketing that uses their data. For example, the personal data that is collected through cookies on your website can be used for detailed targeting for a paid digital media campaign. But your customers will still have the right to ask you to exclude them from being included in your business's direct marketing campaigns.

10. Safeguarding personal and sensitive information

This includes your customers, staff, suppliers, and anybody else from whom you obtain personal information. Names, contacts, medical information, credit card or bank account information are classic examples of personal data.

11. Protecting data of children under the age of 16

You must get parental authorisation under the GDPR. However, each EU Member State has the option of lowering the age.

12. Purpose limitation

Related to the above principle, this states that the data you process from subjects will only be used for the purposes you have received consent for and have explained to the data subject.

13. Data minimisation

This states that only the minimum amount of data from subjects must be gathered to meet the purpose of its collection. You also have to explain the reason for the amount of data you collect in a specific policy.

14. Accuracy

This principle highlights that data stored and processed must be accurate and kept up to date where necessary. In compliance with this, outdated or inaccurate data must be erased and removed as soon as possible.

15. Storage limitation

This states that the data collected from subjects must only be stored temporarily as needed for its intended usage. When setting a policy for this, you need to set a retention period for any data you collect (how long you plan to keep a subject’s data.) You also need to explain how this period is necessary to achieve the purpose of collecting the data.

16. Integrity and confidentiality

This principle states that all data collected from subjects must be protected against unlawful processing or accidental damage and loss. Achieving this involves training and establishing cybersecurity systems and other protocols to make sure data is kept anonymous and secure to protect the identity of subjects.

17. Accountability

This states that compliance with GDPR must be proven and recorded to ensure data protection policies are in place. This includes documenting processes and procedures, as well as any policies related to compliance with GDPR.

The UK GDPR also specifies that any data breaches (any incident that results in accidental or unlawful damage, disclosure, access, or loss of personal data) that occur must be reported to the ICO and consenting data subjects within 72 hours from when it was first noticed.

There are many more regulations under the GDPR and you may have to develop policies to meet legal obligations based on your business’s operations.

Many of the principles of GDPR are structured around ensuring the protection of sensitive information gathered from data subjects. To comply with these principles, the first step in lawfully gathering this data is to receive consent from data subjects, which is a cornerstone of the GDPR. 

How does GDPR apply to small businesses?

As a small business owner, GDPR regulations also apply to your organisation’s activities. Even if you are a sole trader, a small business with 10-20 employees, or a medium-sized business with 200-250 employees, the GDPR must be followed. 

If your business is based in the UK, you must also pay the data protection fee to the Information Commissioner's Office (ICO). Depending on your business size, the fee is approximately between £40-£60 a year, with large organisations paying a fee of £2,900. Usually, businesses that have not paid this fee receive a letter from the ICO as a reminder for payment. Not paying this fee after receiving a warning can put you at risk of receiving a fine. 

After paying the fee, your business is listed on the ICO register of fee payers. This is an additional benefit, as being listed on this register is a public record that your business takes data security seriously, resulting in a positive impact on your reputation among your customers.

Certain organisations can be exempt from paying this fee depending on the type of data they process. Remember to double-check with an expert before making any decisions on compliance. You may be exempt if you only handle personal data for:

• Accounts and record-keeping
• Advertising and marketing
• Judicial functions
• Maintaining public registers
• Not-for-profit uses
• Personal, family or household uses
• Personal data processing without automated systems
• Staff administration

Are there any exemptions for small businesses?

If you have less than 250 employees, GDPR requires you to keep internal records of your processing activities because the data being processed could jeopardise someone's rights and freedoms, where the data relates to criminal convictions and the special categories of data, and where the organisation processes data on a regular basis.

To make sure you can develop the right compliance policies, it is important to note the key differences between the EU GDPR and the UK GDPR. 

The link between GDPR and the UK’s Data Protection Act 2018 

The UK Data Protection Act (DPA) of 2018 is a modern data protection law that took effect on May 25, 2018, around the same time as the EU GDPR act. This is essentially the UK's post-Brexit version of the GDPR act of the European Union. This act was passed in the United Kingdom, and it incorporates the GDPR into national law. 

Today, the UK has branched off from the EU GDPR and has established the UK GDPR, which contains many of the same policies, with some adapted for local business activity. Many of these changes impact businesses of all sizes, from large corporations to small startups. 

You might also be interested: Fines and GDPR: How to avoid penalties

To understand the UK GDPR, we first need to take a look at what the EU GDPR is.

The EU GDPR is a set of regulations focused on protecting and supporting the privacy of personal data for individuals living in European Union territories. The regulations empower individuals to decide if they want their data to be stored or used by businesses and stop data collection entirely. The GDPR also outlines the responsibilities of organisations to seek consent from subjects before processing data and how businesses must protect this data. 

Initially, the EU GDPR was introduced into UK law in 2018 via the Data Protection Act (DPA).

As of January 2021, with the UK withdrawing from the EU, the EU GDPR-related regulations under the DPA were instead transferred to the UK GDPR. Today, the Data Protection Act supports the UK GDPR by providing exemptions where needed and sets specific data protection rules for law enforcement in the UK. 

The UK GDPR applies to all organisations based in the UK and also to organisations who plan to sell to individuals or businesses in the UK. Similarly, the EU GDPR applies to any organisation planning to do business or based in EU territories.

What are the differences between the UK GDPR and the EU GDPR?

Here are the key differences to be aware of:

Both the EU and UK GDPR ultimately serve the same purpose, but these differences are important to consider depending on your type of business, the type of data you use and where you operate. 

What is information consent, and why is it important for small businesses?

The personal data of subjects is created based on each person’s online behaviour and private information, and this data becomes a part of their individual rights under the GDPR. 

As they are individual rights, you are legally required to gain consent before collecting or processing this information. Collecting or processing data from subjects who have not given you consent is considered unlawful by the UK GDPR and can result in you receiving penalties. 

Receiving consent for data collection and storage means that you have received permission from the subject to collect their data for the purpose and timeframe you have specified to them. Part of this consent is, as specified in the seven principles, communicating exactly what data is collected, what it will be used for, and how long it will be stored. 

If subjects give you consent, they do not have the right to object when you process or collect their data. However, subjects still have the right to withdraw consent at any time. If this happens, you are expected to immediately stop processing or collecting any data from these subjects. The UK GDPR also states that the process of withdrawing consent must be made as easy as giving consent. 

To summarise, the GDPR gives your customers the right to:

• Have access to their personal data
• Refuse consent to how their data is used
• Be informed what their data is being collected or processed for 
• Have any inaccurate data be updated
• Have their data erased 
• Be notified of any data breach within 72 hours of when it was first noticed
• Transfer their data to another service provider
• Have their data not used for processing but consent to collecting

Obtaining consent from data subjects is a legal requirement of the GDPR and is part of several legal obligations you need to meet as part of your business’s compliance policies. 

What are the legal obligations of a small business towards GDPR?

If your business stores and uses the data of your customers and is based in the UK, you are required to follow the regulations laid out by the UK GDPR. If your business is located outside the UK and you plan to sell goods or services to individuals living in the UK, you must also comply with the UK GDPR. This also applies to businesses based in/plan to sell to customers in the EU.

Watch video: Master the GDPR compliance audit: A comprehensive guide

If you do not comply with the UK and EU GDPR, you risk fines up to £17.5 million (€20 million) or four per cent of your business's global turnover (whichever is larger), temporary or permanent restrictions on processing and collecting data, or even a ban from operating in the UK or EU entirely. 

Now that you are aware of your legal obligations as a business, you can start working on your compliance policies. A strongly emphasised part of the GDPR is preventive protection and having procedures in place in the event of an incident, such as a data breach. 

Do you have unanswered questions about GDPR and what your business should be aware of? Don't hesitate to reach out to one of our experts for a free consultation.

What is a data breach, and how can you prevent one from happening?

A data breach is when personal data is accessed by unauthorised individuals, usually via unlawful means. When sensitive information is revealed, it can cause major problems for businesses, governments, and individuals. Unauthorised users can access data via a variety of methods, including the internet, Bluetooth, text messages, or the online services you use, whether you are offline or online.

Examples of personal data breaches before GDPR

Small businesses may find it difficult at first to determine what constitutes a data breach and what does not. Here are two examples to help clear up the confusion:

• A hospital suffers a breach that results in accidental disclosure of patient records. There is likely to be a significant impact on the affected individuals because of the sensitivity of the data and their confidential medical details becoming known to others. This could result in a high risk to their rights and freedoms, so they would need to be informed about the breach.
  
• Your organisation contracts an IT services firm (the processor) to archive and store customer records. As this is a personal data breach, the IT firm promptly notifies you that the breach has taken place. The IT firm detects an attack on its network that results in personal data about its clients being unlawfully accessed. 

As the law is constantly updated over time, it is important for small businesses to get legal advice from an attorney. Data security and data privacy evaluations under the advice of an attorney will always be helpful. 

How can you report a data breach?

If a personal data breach occurs, you must evaluate if it poses a risk to people. Following the breach, you must examine the likelihood and severity of the risk to people's rights and freedoms. If there's a chance there is a risk, you must notify the ICO; if it's unlikely, you do not have to report it.

The concept of breach notification is new in the GDPR: if (preventive) security measures are breached and personal data is improperly processed, the controller must notify the supervisory authority and possibly impact data subjects within 72 hours. Unless you can show that the breach posed no genuine harm to the data subjects or other persons, this is the situation.

As data breaches are unpredictable and can be very costly, it is important to set up backup processes or precautions in case they occur. Part of these precautions can be the choice of investing in professional indemnity insurance. 

What is professional indemnity insurance, and is it necessary?

Professional indemnity insurance (PI insurance) is a form of liability insurance that helps your business cover legal costs and expenses if a customer has decided to pursue legal action because of claimed inadequate services or financial loss. 

Paying for PI insurance is not mandatory according to the UK GDPR. If you handle personal data, this may be worth considering in case you have a data breach resulting in damage, loss, or accidental access to customer data and the customer decides to pursue legal action against your business. 

PI insurance is offered by insurance companies usually on a monthly or yearly basis, with costs that vary based on the extent of the coverage and the size of your business. While this can be difficult for small businesses to afford, it can be worth the investment, as legal fees can reach thousands of pounds, depending on the situation. As PI insurance plans can be different at each insurance company, consider researching multiple options to narrow down plans which relate the most to your business activity. 

As you begin to develop your GDPR compliance procedures, it is important to place someone at the head of these efforts who can take responsibility for compliance. You can either choose to upskill a current employee to lead your compliance efforts, or bring in an outsourced professional. 

How do you choose between outsourcing and in-house GDPR compliance?

The UK GDPR has many sections which outline regulations, clauses, and conditions for both individuals and organisations to be aware of. As many of these regulations contain legal terms and concepts which can be challenging to learn immediately, a commonly suggested solution is to work with a Lawyer and hire a Data Protection Officer.

A Data Protection Officer is a designated individual for an organisation who is responsible for monitoring consistent compliance with regulations and making sure that safety policies are being followed by all staff.

According to the UK GDPR, appointing a Data Protection Officer is mandatory only if:

• Your business is a public authority.
• Your business’s main activities involve regular and systematic monitoring of people on a large scale (such as online behaviour tracking).
• Your business’s main operations involve processing large amounts of data related to criminal convictions and offences or special category data (data that needs additional protection as it is especially sensitive).

As Data Protection Officers specialise in data protection and GDPR compliance, they are the ideal person to lead and manage your compliance efforts. So, how should you appoint an officer — should you outsource or train/hire?

The right choice is different for each organisation and depends on your resources, activities and approach to GDPR compliance. 

Here is an overview of the pros and cons of outsourcing a data protection officer:

Here is a look at the pros and cons of training or hiring an in-house data protection officer:

In addition to these points, consider the most important priority for your organisation right now. If you have a large budget to spare or only need a one-time review, outsourcing can make the compliance process easier. On the other hand, developing an in-house officer can have many long-term benefits for both cost and time optimisation.

An important part of the legal obligations involved with GDPR and the tasks Data Protection Officers have to handle are focused on ensuring data is gathered in compliance with regulations. While every organisation should maximise its efforts to comply with GDPR legislation, it is also important to plan for emergencies. Investing in professional indemnity insurance can help. 

Both situations have significant advantages, and deciding which is best requires taking a risk-based approach and evaluating it against internal knowledge, corporate objectives, and money before making a decision. 

If you are considering outsourcing your DPO, data protection specialists like Dataguard can help manage all your data protection responsibilities and train your internal staff so that you can focus on your core business activities.

How does GDPR affect different types of businesses? 

Since the majority of companies in the UK participate in the processing of personal data of EU and UK residents, GDPR has a significant impact on different types of businesses, regardless of region, size, or service offered. 

As a result, all of these organisations need to implement procedures, policies, and systems to comply with UK GDPR, which could affect them in a variety of ways. Read the articles below to learn how GDPR affects different types of businesses and how your business can comply with UK GDPR. 

• GDPR for Charities
• GDPR for Schools
• GDPR for Recruitment Agencies
• GDPR for Small Clubs and Societies

Is your business GDPR-compliant?

Every small business should comply with the UK GDPR. It becomes manageable if you act early and put in place the proper tools and procedures for the smooth running of data protection and privacy of your customers and employees.

The measures you take to comply with GDPR will provide you with a competitive edge, improve your reputation for best practices, and serve as a foundation for fair data insights.

If you could use some guidance, DataGuard helps small businesses like yours prepare and maintain GDPR compliance. Reach out to us for a free consultation:

Frequently Asked Questions

The GDPR is a detailed and strict set of regulations for data protection and management in the modern age of information technology, and the complicated history of its adoption in the UK can make it challenging to learn about. 

Are you a small business trying to learn how the GDPR applies to your organisation? Have a look at our frequently asked questions:

• Do you have a GDPR downloadable checklist for small businesses?
  
  Yes. This checklist includes a few tips for you to get started on GDPR Compliance, what to do if you receive a data request, and how to keep third-party date safe.

• Are small businesses exempt from any parts of GDPR?
  
  No, they are not. All businesses which collect and process personal data must comply with GDPR if they are based in the UK or EU, or if they sell to customers in the UK or EU. 
  
  
• What can customers ask businesses to do with their data now?
  
  
  • The GDPR empowers individuals with the right to:
  • Have access to their personal data
  • Refuse consent to how their data is used
  • Be informed what their data is being collected or processed for 
  • Have any inaccurate data be updated
  • Have their data erased 
  • Be notified of any data breach within 72 hours of when it was first noticed
  • Transfer their data to another service provider
  • Have their data not used for processing but consent to collecting
  
  

  Organisations that comply with GDPR are required to follow these rights and provide them where possible, with some exceptions, such as if consent for data processing is already received.

• Are there any fees involved in complying with GDPR?
  
  Yes, the Data Protection Fee is a yearly payment between £40-£60, depending on business size, paid to the Information Commissioner’s Office (ICO). Large organisations would pay a fee of £2,900. Paying this fee registers a business with the ICO as a record of the business’s commitment to data security. If this fee is not paid, organisations risk a fine or penalty. 
  
• Are there any exemptions for the Data Protection Fee Payment?
  
  Organisations may be exempt from paying this fee if they only handle personal data for:
   
  • Accounts and record-keeping
  • Advertising and marketing
  • Judicial functions
  • Maintaining public registers
  • Not-for-profit uses
  • Personal, family or household uses
  • Personal data processing without automated systems
  • Staff administration
    
• Does my business need a Data Protection Officer?
   
  

  Having a data protection officer is required by the UK GDPR only if:

  • Your business is a public authority.
  • Your business’s main activities involve regular and systematic monitoring of people on a large scale (such as online behaviour tracking).
  • Your business’s main operations involve processing large amounts of data related to criminal convictions and offences or special category data (data that needs additional protection as it is especially sensitive).
    
    Outside of these conditions, it is not mandatory to hire or outsource a data protection officer. 

• How often should my business update compliance policies and training?
  
  This depends on your organisation’s activities and your staff’s attitude towards data protection procedures. As technology is constantly evolving and older data protection processes become less secure, regularly update your policies and training accordingly. It may be helpful to dedicate two or more months within your business year to reviewing and updating your UK GDPR compliance policies.