Available at a fixed monthly cost

Get your quote today

What we offer at a glance

  • Get an external data protection officer
  • Audit of your data privacy status quo
  • GDPR support for small businesses and large corporations
  • Personal contact person & individual support
  • Easier communication with authorities
  • 100+ experts from the fields of law, economics & IT

Don't trust us, trust them:

Jedox  Logo Contact Demodesk Logo Contact Elevate Logo Contact Canon  Logo Contact CBTL Logo Contact Alasco  Logo Contact RightNow Logo Contact Veganz Logo Contact Escada Logo Contact First Group Logo Contact

Learn more about our prices & services

or call us now: (020) 36956 452

GDPR for Small Businesses - Why is it Important & How do you comply with it?

As a small business owner, you may have heard of the terms “GDPR” and “data privacy” being discussed more frequently—but what does that mean for you?

In a variety of ways, complying to the rules and specifications of the GDPR may affect your business and how your consumers see you. This guide will help you learn all about UK GDPR, including GDPR for small businesses, how it differs from the EU GDPR, how it affects businesses and individuals in the UK, how businesses are expected to comply, the importance of insurance and data protection officers, and a downloadable GDPR checklist for small businesses.

In this Article

What is GDPR?

The GDPR (General Data Protection Regulation) was created to strengthen EU residents' rights and offer them greater control over how businesses process and use their personal data. GDPR stands for the General Data Protection Regulation, which was passed by the European Union in May of 2018. 

GDPR is a regulation that applies to businesses who use personal data of customers for specific targeting during digital marketing campaigns and other purposes. If you run a small business in the UK, the GDPR law impacts you—and you'll need to be aware of a number of things.

Let us start with a glossary of GDPR terms before moving into how GDPR benefits and impacts small businesses.

Basic GDPR terminology

This is a list of key GDPR terms, definitions and abbreviations used while discussing GDPR. As you begin your GDPR compliance journey, it is important that you understand and remember them.

  • Personal data — Personal data includes any information about a living person who can be identified. Personal data is made up of several pieces of information that, when put together, can be used to identify a specific person.
  • Sensitive personal data — Special kinds of personal data, known as sensitive personal data, are subject to additional safeguards. In general, organisations must have more compelling reasons to process sensitive personal data than they do with "ordinary" personal data.
  • Anonymous data — Some data sets can be changed in such a way that no persons can be recognised (directly or indirectly) from them by any means or by any person. It is a technically hard process to ensure that individuals cannot be identified.
  • Pseudonymous data — Without a "key" that permits the data to be re-identified, some collections of data can be changed in such a way that no individuals can be recognised from them (directly or indirectly). Coded data sets used in clinical studies are a good example of pseudonymous data.
  • Data processing — The term "processing" includes a wide range of operations. It basically refers to anything that is done to or with personal information (including simply collecting, storing or deleting this data). This term is important because it indicates that EU data protection law will almost certainly apply whenever an organisation handles or affects personal data.
  • Controller — As compliance requirements under EU data protection law are principally imposed on controllers, the term "controller" was given special importance in the directive. 

What is the difference between personal data and sensitive personal data?

While personal data is any piece of information that may be used to identify a live individual with some degree of precision, sensitive personal data refers to a collection of "special categories" of information that must be handled with extreme caution. 

Sensitive personal data should be kept separate from other personal information, preferably in a secured drawer or filing cabinet.

It should only be maintained on laptops or portable devices if the file has been encrypted and/or pseudonymised, as with personal data in general.

What are the key principles of GDPR that apply to small businesses?

GDPR is made up of a few key principles that guide your business compliance efforts. 

These principles focus on specifying the depth of data protection businesses must maintain and structure their policies around. Here is a look at each of these values and what they mean:

  1. Communication — Always use plain language. When you request information from your customers, let them know who you are. Explain to them as to why you are processing their information, how long it will be maintained, and who will have access to it. Terms & conditions and privacy policies on your website must be basic, transparent, easy to comprehend, with no legal jargon.
  2. Consent — One of the legal bases for data processing is consent. Consent should be provided by a clear affirmative action from a data subject before you begin processing their data in any way. If a customer withdraws their consent, you must legally delete their information from your database.
  3. Lawfulness, Fairness and Transparency — This concept has three parts:
    • Lawfulness means that personal data can only be collected if there is a legal reason to do so. Additionally, all processes used in relation to the data of subjects must comply with the regulations of the GDPR.
    • Fairness means your usage and storage of a subject's data must match the way it was described to them. 
    • Transparency means data subjects must be made aware of exactly what their data will be used for and who it can be accessed by. This information needs to be communicated in clear and plain language.
  4. Accessibility — Your customers have the right to ask you about the information you have stored on them. Although this is not a new right, businesses must now reply within one month and cannot demand a fee from the customers for asking this.
  5. Portability — Your customers have the right to and can obtain a digital copy of their personal data to use in any way they see fit, including switching service providers.
  6. Warnings — If there is a substantial risk to customers regarding their personal data or sensitive personal data, notify them about data breaches. Certain forms of data breaches must also be reported to the appropriate supervisory body.
  7. Erasure — Customers have the right to request a business to remove all stored personal data and sensitive personal information about them. An exception to this is if your organisation has to maintain the information for legal reasons, such as tax purposes, which are usually government organisations.
  8. Profiling — If you use profiling to process applications for legally binding agreements such as loans, you must notify your customers and ensure that a person, not a machine, checks on the process and follows up with the customer. If the application is denied, give the customer the opportunity to appeal the judgment and ensure that the profiling is done on a legal basis that is proper.
  9. Marketing — Your customers have the right to opt out of direct marketing that uses their data. For example, the personal data that is collected through cookies on your website can be used for detailed targeting for a paid digital media campaign. But your customers will still have the right to ask you to exclude them from being included in your businesses direct marketing campaigns.
  10. Safeguarding personal and sensitive information — This includes your customers, staff, suppliers, and anybody else from whom you obtain personal information. Names, contacts, medical information, credit card or bank account information are classic examples of personal data.
  11. Protecting data of children under the age of 16 — You must get parental authorisation under the GDPR. However, each EU Member State has the option of lowering the age.
  12. Purpose limitation — Related to the above principle, this states that the data you process from subjects will only be used for the purposes you have received consent for and have explained to the data subject.
  13. Data minimisation — This states that only the minimum amount of data from subjects must be gathered to meet the purpose of its collection. You also have to explain the reason for the amount of data you collect in a specific policy.
  14. Accuracy — This principle highlights that data stored and processed must be accurate and kept up to date where necessary. In compliance with this, outdated or inaccurate data must be erased and removed as soon as possible.
  15. Storage limitation — This states that the data collected from subjects must only be stored temporarily as needed for its intended usage. When setting a policy for this, you need to set a retention period for any data you collect (how long you plan to keep a subject’s data.) You also need to explain how this period is necessary to achieve the purpose of collecting the data.
  16. Integrity and confidentiality — This principle states that all data collected from subjects must be protected against unlawful processing or accidental damage and loss. Achieving this involves training and establishing cybersecurity systems and other protocols to make sure data is kept anonymous and secure to protect the identity of subjects.
  17. Accountability — This states that compliance with GDPR must be proven and recorded to ensure data protection policies are in place. This includes documenting processes and procedures, as well as any policies related to compliance with GDPR.

The UK GDPR also specifies that any data breaches (any incident that results in accidental or unlawful damage, disclosure, access, or loss of personal data) that occur must be reported to the ICO and consenting data subjects within 72 hours from when it was first noticed.

There are many more regulations under the GDPR and you may have to develop policies to meet legal obligations based on your business’s operations.

Many of the principles of GDPR are structured around ensuring protection of sensitive information gathered from data subjects. To comply with these principles, the first step in lawfully gathering this data is to receive consent from data subjects, which is a cornerstone of the GDPR.

Talk to an expert DataGuard

How does GDPR apply to small businesses?

As a small business owner, GDPR regulations also apply to your organisation’s activities. Even if you are a sole trader, a small business with 10-20 employees, or a medium-sized business with 200-250 employees, the GDPR must be followed. 

If your business is based in the UK, you must also pay the data protection fee to the Information Commissioner's Office (ICO). Depending on your business size, the fee is approximately between £40-£60 a year, with large organisations paying a fee of £2,900. Usually, businesses that have not paid this fee receive a letter from the ICO as a reminder for payment. Not paying this fee after receiving a warning can put you at risk of receiving a fine. 

After paying the fee, your business is listed on the ICO register of fee payers. This is an additional benefit, as being listed on this register is a public record that your business takes data security seriously, resulting in a positive impact on your reputation among your customers.

Certain organisations can be exempt from paying this fee depending on the type of data they process. Remember to double check with an expert before making any decisions on compliance. You may be exempt if you only handle personal data for:

  • Accounts and record-keeping
  • Advertising and marketing
  • Judicial functions
  • Maintaining public registers
  • Not-for-profit uses
  • Personal, family or household uses
  • Personal data processing without automated systems
  • Staff administration

Are there any exemptions for small businesses?

If you have less than 250 employees, GDPR requires you to keep internal records of your processing activities, because the data being processed could jeopardise someone's rights and freedoms, where the data relates to criminal convictions and the special categories of data, and where the organisation processes data on a regular basis.

To make sure you can develop the right compliance policies, it is important to note the key differences between the EU GDPR and UK GDPR. 

The link between GDPR and UK’s Data Protection Act 2018 

The UK Data Protection Act (DPA) of 2018 is a modern data protection law that took effect on May 25, 2018, around the same time as the EU GDPR act. This is essentially the UK's post-Brexit version of the GDPR act of the European Union. This act was passed in the United Kingdom, and it incorporates the GDPR into national law. 

Today, the UK has branched off from the EU GDPR and has established the UK GDPR, which contains many of the same policies, with some adapted for local business activity. Many of these changes impact businesses of all sizes, from large corporations to small startups. 

To understand the UK GDPR, we first need to take a look at what the EU GDPR is.

The EU GDPR is a set of regulations focused on protecting and supporting the privacy of personal data for individuals living in European Union territories. The regulations empower individuals to decide if they want their data to be stored or used by businesses and stop data collection entirely. The GDPR also outlines the responsibilities of organisations to seek consent from subjects before processing data and how businesses must protect this data. 

Initially, the EU GDPR was introduced into UK law in 2018 via the Data Protection Act (DPA).

As of January 2021, with the UK withdrawing from the EU, the EU GDPR-related regulations under the DPA were instead transferred to the UK GDPR. Today, the Data Protection Act supports the UK GDPR by providing exemptions where needed and sets specific data protection rules for law enforcement in the UK. 

The UK GDPR applies to all organisations based in the UK and also to organisations who plan to sell to individuals or businesses in the UK. Similarly, the EU GDPR applies to any organisations planning to do business or are based in EU territories.

What are the differences between the UK GDPR and the EU GDPR?

Here are the key differences to be aware of:

Differences between the EU GDPR and UK GDPR

EU GDPR

UK GDPR

All data subjects have rights related to the processing of their personal data.

Rights can be waived if exercising the rights would stop an organisation from carrying out its activities while processing data.

Allows EU member states a degree of flexibility to balance the right to privacy with the rights to freedom of expression.

Allows exemptions from personal data protection requirements if the data must be communicated for public interest (such as defence against certain lawsuits).

All data subjects have a right to not be subjected to automatic decision making or profiling systems.

Automatic decision making or profiling systems can be allowed in legitimate cases if there are safeguards set up to protect rights and freedoms.

Any person or organisation processing criminal data must have official authority to do so.

Does not require official authority for processing criminal data.

Age of consent to data processing is age 16.

Age of consent to data processing is age 13.

 

Both the EU and UK GDPR ultimately serve the same purpose, but these differences are important to consider depending on your type of business, the type of data you use and where you operate. 

What is information consent and why is it important for small businesses?

The personal data of subjects is created based on each person’s online behaviour and private information and this data becomes a part of their individual rights under the GDPR. 

As they are individual rights, you are legally required to gain consent before collecting or processing this information. Collecting or processing data from subjects who have not given you consent is considered unlawful by the UK GDPR and can result in you receiving penalties. 

Receiving consent for data collection and storage means that you have received permission from the subject to collect their data for the purpose and timeframe you have specified to them. Part of this consent is, as specified in the seven principles, communicating exactly what data is collected, what it will be used for, and how long it will be stored. 

If subjects give you consent, they do not have the right to object when you process or collect their data. However, subjects still have the right to withdraw consent at any time. If this happens, you are expected to immediately stop processing or collecting any data from these subjects. The UK GDPR also states that the process of withdrawing consent must be made as easy as giving consent. 

To summarise, the GDPR gives your customers the right to:

  • Have access to their personal data
  • Refuse consent to how their data is used
  • Be informed what their data is being collected or processed for 
  • Have any inaccurate data be updated
  • Have their data erased 
  • Be notified of any data breach within 72 hours of when it was first noticed
  • Transfer their data to another service provider
  • Have their data not used for processing, but consent to collecting

Obtaining consent from data subjects is a legal requirement of the GDPR and is part of several legal obligations you need to meet as part of your business’s compliance policies. 

What are the legal obligations of a small business towards GDPR?

If your business stores and uses the data of your customers and is based in the UK, you are required to follow the regulations laid out by the UK GDPR. If your business is located outside the UK and you plan to sell goods or services to individuals living in the UK, you must also comply with the UK GDPR. This also applies to businesses based in/plan to sell to customers in the EU.

If you do not comply with the UK and EU GDPR, you risk fines upto £17.5 million (€20 million) or four per cent of your business's global turnover (whichever is larger), temporary or permanent restrictions on processing and collecting data, or even a ban from operating in the UK or EU entirely. 

Now that you are aware of your legal obligations as a business, you can start working on your compliance policies. A strongly emphasised part of the GDPR is preventive protection and having procedures in place in the event of an incident, such as a data breach. 

Have 20 minutes? Schedule a meeting with one of our GDPR experts today:

Book an appointment

What is a data breach and how can you prevent one from happening?

A data breach is when personal data is accessed by unauthorised individuals, usually via unlawful means. When sensitive information is revealed, it can cause major problems for businesses, governments, and individuals. Unauthorised users can access data via a variety of methods, including the internet, Bluetooth, text messages, or the online services you use, whether you are offline or online.

Examples of personal data breaches before GDPR

Small businesses may find it difficult at first to determine what constitutes a data breach and what does not. Here are two examples to help clear up the confusion:

  • A hospital suffers a breach that results in accidental disclosure of patient records. There is likely to be a significant impact on the affected individuals because of the sensitivity of the data and their confidential medical details becoming known to others. This could result in a high risk to their rights and freedoms, so they would need to be informed about the breach.
  • Your organisation contracts an IT services firm (the processor) to archive and store customer records.As this is a personal data breach, the IT firm promptly notifies you that the breach has taken place. The IT firm detects an attack on its network that results in personal data about its clients being unlawfully accessed. 

As the law is constantly updated over time, it is important for small businesses to get legal advice from an attorney. Data security and data privacy evaluations under the advice of an attorney will always be helpful. 

How can you report a data breach?

If a personal data breach occurs, you must evaluate if it poses a risk to people. Following the breach, you must examine the likelihood and severity of the risk to people's rights and freedoms. If there's a chance there is a risk, you must notify the ICO; if it's unlikely, you do not have to report it.

The concept of breach notification is new in the GDPR: if (preventive) security measures are breached and personal data is improperly processed, the controller must notify the supervisory authority and possibly impact data subjects within 72 hours. Unless you can show that the breach posed no genuine harm to the data subjects or other persons, this is the situation.

As data breaches are unpredictable and can be very costly, it is important to set up back-up processes or precautions in case they occur. Part of these precautions can be the choice of investing in professional indemnity insurance. 

What is professional indemnity insurance and is it necessary?

Professional indemnity insurance (PI insurance) is a form of liability insurance that helps your business cover legal costs and expenses if a customer has decided to pursue legal action because of claimed inadequate services or financial loss. 

Paying for PI insurance is not mandatory according to the UK GDPR. If you handle personal data, this may be worth considering in case you have a data breach resulting in damage, loss, or accidental access to customer data, and the customer decides to pursue legal action against your business. 

PI insurance is offered by insurance companies usually on a monthly or yearly basis, with costs that vary based on the extent of the coverage and the size of your business. While this can be difficult for small businesses to afford, it can be worth the investment, as legal fees can reach thousands of pounds depending on the situation. As PI insurance plans can be different at each insurance company, consider researching multiple options to narrow down plans which relate the most to your business activity. 

As you begin to develop your GDPR compliance procedures, it is important to place someone at the head of these efforts who can take responsibility for compliance. You can either choose to upskill a current employee to lead your compliance efforts, or bring in an outsourced professional. 

How do I choose between outsourcing and in-house GDPR compliance?

The UK GDPR has many sections which outline regulations, clauses, and conditions for both individuals and organisations to be aware of. As many of these regulations contain legal terms and concepts which can be challenging to learn immediately, a commonly suggested solution is to work with a Lawyer and hire a Data Protection Officer.

A Data Protection Officer is a designated individual for an organisation who is responsible for monitoring consistent compliance with regulations and making sure that safety policies are being followed by all staff.

According to the UK GDPR, appointing a Data Protection Officer is mandatory only if:

  • Your business is a public authority.
  • Your business’s main activities involve regular and systematic monitoring of people on a large scale (such as online behaviour tracking).
  • Your business’s main operations involve processing large amounts of data related to criminal convictions and offences or special category data (data that needs additional protection as it is especially sensitive).

As Data Protection Officers specialise in data protection and GDPR compliance, they are the ideal person to lead and manage your compliance efforts. So, how should you appoint an officer — should you outsource or train/hire?

The right choice is different for each organisation and depends on your resources, activities and approach to GDPR compliance. 

Here is an overview of the pros and cons of outsourcing a data protection officer:

Outsourcing

Pros 

Cons

Compliance reviews can be done quickly. 

Can be costly because of repeat hiring, especially if you have a lot of customer data.

Outsourced officers are knowledgeable and experienced with compliance.

They can be disruptive to daily business activities during the review.

Having an outsourced officer means other staff can focus on maintaining business activities.

There may be disagreements between staff and the officer when sharing data.

Can provide effective support in case of an emergency.

 

 

Here is a look at the pros and cons of training or hiring an in-house data protection officer:

 

In-house

Pros

Cons

Less costly over time regardless of the size of the data pool and frequency of review.

Can take a significant amount of time to train depending on the qualifications of the officer-in-training.

Compliance can be maintained consistently over time.

Can be very stressful if the officer-in-training is new/not used to handling legal compliance.

The training can be passed on to additional officers in the future.

Reliability of compliance reviews can be low initially if the officer has no previous experience. 

In-house officers are familiar with the organisation, causing less disruptions and smoother cooperation with other staff. 

Hiring an officer can be expensive due to their specialisation.

In addition to these points, consider the most important priority for your organisation right now. If you have a large budget to spare or only need a one-time review, outsourcing can make the compliance process easier. On the other hand, developing an in-house officer can have many long-term benefits for both cost and time optimisation.

An important part of the legal obligations involved with GDPR and the tasks Data Protection Officers have to handle are focused on ensuring data is gathered in compliance with regulations. While every organisation should maximise its efforts to comply with GDPR legislation, it is also important to plan for emergencies. Investing in professional indemnity insurance can help. 

Both situations have significant advantages, and deciding which is best requires taking a risk-based approach and evaluating it against internal knowledge, corporate objectives, and money before making a decision. 

If you are considering outsourcing your DPO, data protection specialists like Dataguard can help manage all your data protection responsibilities and train your internal staff so that you can focus on your core business activities.

How will GDPR affect different types of businesses? 

Since the majority of companies in the UK participate in the processing of personal data of EU and UK residents, GDPR has a significant impact on different types of businesses, regardless of region, size, or service offered. 

As a result, all of these organisations would need to implement procedures, policies, and systems to comply with UK GDPR, which could affect them in a variety of ways. Read the articles below to learn how GDPR affects different types of businesses and how your business can comply with UK GDPR. 

Conclusion

Every small business should comply with UK GDPR. It becomes manageable if you act early and put in place the proper tools and procedures for the smooth running of data protection and privacy of your customers and employees. The measures you take to comply with GDPR will provide you a competitive edge, improve your reputation for best practices, and serve as a foundation for fair data insights.

Data Guard helps software companies and tech start-ups with topics like Privacy by Design and Default concepts, data exchanges with third-party service providers, and creating erasure concepts for every tool.

Have 20 minutes? Schedule a meeting with one of our GDPR experts today:

Book an appointment

Frequently Asked Questions

The GDPR is a detailed and strict set of regulations for data protection and management in the modern age of information technology, and the complicated history of its adoption in the UK can make it challenging to learn about. 

Are you a small business trying to learn how the GDPR applies to your organisation? Have a look at our frequently asked questions:

  • Do you have a GDPR downloadable checklist for small businesses?

    Yes. This checklist includes a few tips for you to get started on GDPR Compliance, what to do if you receive a data request, and how to keep third-party date safe.
  • Are small businesses exempt from any parts of GDPR?

    No, they are not. All businesses which collect and process personal data must comply with GDPR if they are based in the UK or EU, or if they sell to customers in the UK or EU. 

  • What can customers ask businesses to do with their data now?

    • The GDPR empowers individuals with the right to:
    • Have access to their personal data
    • Refuse consent to how their data is used
    • Be informed what their data is being collected or processed for 
    • Have any inaccurate data be updated
    • Have their data erased 
    • Be notified of any data breach within 72 hours of when it was first noticed
    • Transfer their data to another service provider
    • Have their data not used for processing, but consent to collecting

    Organisations that comply with GDPR are required to follow these rights and provide them where possible, with some exceptions, such as if consent for data processing is already received.

  • Are there any fees involved in complying with GDPR?

    Yes, the Data Protection Fee is a yearly payment between £40-£60, depending on business size, paid to the Information Commissioner’s Office (ICO). Large organisations would pay a fee of £2,900. Paying this fee registers a business with the ICO as a record of the business’s commitment to data security. If this fee is not paid, organisations risk a fine or penalty. 
  • Are there any exemptions for the Data Protection Fee Payment?

    Organisations may be exempt from paying this fee if they only handle personal data for:
     
    • Accounts and record-keeping
    • Advertising and marketing
    • Judicial functions
    • Maintaining public registers
    • Not-for-profit uses
    • Personal, family or household uses
    • Personal data processing without automated systems
    • Staff administration
  • Does my business need a Data Protection Officer?
     

    Having a data protection officer is required by the UK GDPR only if:

    • Your business is a public authority.
    • Your business’s main activities involve regular and systematic monitoring of people on a large scale (such as online behaviour tracking).
    • Your business’s main operations involve processing large amounts of data related to criminal convictions and offences or special category data (data that needs additional protection as it is especially sensitive).

      Outside of these conditions, it is not mandatory to hire or outsource a data protection officer. 
  • How often should my business update compliance policies and training?

    This depends on your organisation’s activities and your staff’s attitude towards data protection procedures. As technology is constantly evolving and older data protection processes become less secure, regularly update your policies and training accordingly. It may be helpful to dedicate two or more months within your business year to reviewing and updating your UK GDPR compliance policies. 

                                                                                                                                                 Back-to-top 

About the author