GDPR. Sounds like a code from a secret society, right? Unfortunately, it’s not so glamorous but it is important for your business, regardless of its size.
What is GDPR and why should you care?
GDPR (General Data Protection Regulation) is a set of rules that everyone who handles personal data in the European Union – and that includes most businesses – must follow. Simply put, GDPR keeps your customers' and employees' personal information safe.
Businesses who don’t comply with GDPR can be, and often are, hit with hefty fines. For example, the Information Commissioner's Office (ICO) recently issued TikTok with a "notice of intent" that explains it believes the social networking company broke the law between 2018 and 2020 and announced its intention to fine TikTok over £27m.
Does GDPR apply to small businesses in the UK?
Small businesses aren’t exempt from GDPR. No matter how many employees you have, you must still comply with data protection rules. Although, how you should do this might differ depending on the size of your organisation.
While GDPR was drafted and passed by the European Union it is retained in domestic law as the UK GDPR so it still applies if you are a UK based business or organisation.
So, no. GDPR isn't just for giant corporations who process terabytes of data every week; it applies to everyone who collects and stores data. Ignoring it can lead to big fines and damage to your reputation. Not to mention that protecting your customers' data is simply the right thing to do.
What is personal data?
Before we dive into the nitty gritty of data protection, let’s consider what we actually mean when we talk about personal data.
In short, personal data is any information that could potentially identify a data subject like their name, address, medical information, ID, IP address, work history, etc. This list isn’t exhaustive and what constitutes personal data can depend on the person.
For example, personal data in a school could consist of names, addresses, allergies, and school reports, while customer data could include their email address, credit card details, phone numbers and IP addresses.
What is a data subject?
A data subject is the person to which personal data belongs and relates. Data subjects can be customers, employees, patients, students, subscribers, website users, or service users. In short, anyone who you hold data on.
Seven Principles of GDPR Made Simple
The seven principles for the lawful processing of personal data are:
Data Minimisation
Purpose Limitation
Accountability
Lawfulness, Fairness and Transparency
Accuracy
Storage limitations
Integrity and Confidentiality
Data Minimisation - Less is more
This principle is about using only the data you need and nothing more. In simple terms, don't collect mountains of data just because you can. Stick to what's necessary for your business purposes. For example, if you're running an online store, you'll need your customers' names and addresses for shipping, but you probably don't need their shoe size, job title, or favourite ice cream flavour.
Purpose Limitation - AKA why you're collecting data
When you collect someone's data, be crystal clear about why you're doing it. Are you gathering customer info to process orders? Or maybe it's for sending out newsletters? Whatever the reason, communicate it clearly to your customers, and don't use their data for anything else without their explicit consent.
Accountability - It's your responsibility
As a small business owner, you're responsible for the data you collect. GDPR requires you to put in place and document measures to protect personal data and make sure it's not misused.
GDPR also gives your customers the right to access their data, correct any errors, and even request that you delete it altogether. It's their info, after all. So, if a customer asks about their data, be ready to provide it, fix any mistakes, or say goodbye to it when they ask you to.
Lawfulness, fairness and transparency - The foundations
How you process personal data should be lawful, fair and transparent. For example, if you send out an online newsletter to customers about your products and services you must first get explicit consent from a person that you can process their data for this purpose. You should then only use that data for that specific purpose and nothing more.
You should be open and honest about what data you are collecting, why you are collecting it, and how you intend to use it. The best place to communicate this to website users and customers is through a privacy policy on your website.
Accuracy - The devil is in the detail
If you hold personal data that is of importance for the person the data is about, you should take reasonable measures to ensure it is correct and up to date.
Storage limitations - Nothing lasts forever (and nor should it)
You can’t hold personal data and information indefinitely. When it has served its purpose and you don’t need it anymore, you should securely destroy it.
For example, if a customer unsubscribes from your online newsletter, you should stop sending them emails and delete their data as soon as possible.
Integrity and confidentiality
The personal data you process should only be accessible to those who need it, and it is your responsibility to ensure that it cannot be stolen or manipulated by unauthorised parties. This doesn’t just mean hackers, either. It also extends to your employees.
For example, a list of email addresses used for online newsletters should only be accessible to employees who are responsible for sending those newsletters and not everyone at your organisation.
Data Protection Officer (DPO): Do Small Businesses Need One?
What's a Data Protection Officer (DPO)?
A DPO is the person responsible for making sure your small business follows all the data protection rules. They oversee data protection activities, inform and advise your team, and act as a contact point for data subjects (your customers and employees).
Do Small Businesses Need A DPO?
GDPR says you should have a DPO if:
Your small business is a public authority or performs tasks on behalf of a public authority (like handling public services);
Your business's main activities involve a lot of data processing, and that processing is likely to result in high risks to the rights and freedoms of individuals.
Most small businesses won't meet these criteria. If you're running a local bakery or a small marketing agency, you likely won't need a DPO. Phew! But...
Should You Appoint a DPO Anyway?
Even if GDPR doesn't require it, you can still choose to appoint a DPO. Having a data protection expert on your side can be a smart move, especially if you're dealing with sensitive data or if you just want to ensure you're doing everything by the book.
A DPO can help you:
Understand and navigate GDPR requirements.
Develop and implement data protection policies.
Train your staff on data protection best practices.
Ensure you're handling data breach notifications correctly.
So, while you might not need a DPO by law, it's worth considering if it makes sense for your business and gives you peace of mind.
How do small businesses become GDPR compliant?
So, now you know the principles of GDPR, how can you be sure your small business complies with GDPR?
Review your data
First up, make a list of the types of personal data you currently process. This could be addresses, phone numbers, email addresses, etc. It’s important to consider all areas of your business. Remember: GDPR doesn’t just apply to your customer data but also the data you hold on employees, too!
Make sure you have a lawful basis for processing your data
You need to have a valid reason to collect or use personal information. This is called ‘lawful basis’. There are six lawful bases:
Lawful Basis | Example |
Consent | This must be freely given, indicated by a positive action to opt in (like ticking a box) and a person should be able to withdraw their consent easily at any time. |
Contract | When you need to collect or use a person’s information to deliver a contractual service to them. |
Legal obligation | When you need to collect or use personal information to comply with the law. |
Vital interest | When you need to use or share personal information to protect someone’s life. |
Public task | When you need to carry out specific tasks in the public interest. This is most relevant to public authorities or organisations. |
Legitimate interest | hen personal information is in the legitimate interest of yourself, an individual or a third party. |
When you have compiled a list of the different types of personal information your small business processes or uses, you should identify the most appropriate lawful basis for what you’re doing with that information.
Check you have consent
You must ensure that you have specific, unambiguous consent to process data and you can do this by using consent requests. Consent requests must be prominent and separate from your general terms and conditions. They must include:
The name of your organisation and the names of any other controllers who will rely on the consent;
Why you want the data;
What you will do with the data;
That consent can be withdrawn at any time.
When you have identified the lawful basis for collecting data, review how you are obtaining consent and ask yourself if that method of obtaining consent makes it obvious that the individual has consented, and what they have consented to. Examples of active opt-in mechanisms include:
An opt-in check box or button;
Optional fields in a form;
Signing a consent statement.
If you need explicit consent, your opt in mechanisms must involve an express statement confirming consent. You can’t use pre-ticked boxes, default settings, or opt out boxes.
You should go out of your way to check any data entry forms are compliant with lawful basis and consent request regulations.
Create processes to maintain compliance
When you’re sure that your consent requests are compliant, you should then update your processes to ensure your customers, users and employees can exercise their rights in relation to their data. These rights are:
Individual Rights | Explanation |
Right to be informed | You must tell people why you need the data you're asking for, how long you will keep it for, and who it will be shared with. |
Right of access | When requested, you must give individuals the right to access and receive a copy of their personal data, and other supplementary information. |
Right to rectification | When requested, you must update or correct data. |
Right to erasure | Individuals have the right to request you erase their personal data. It is sometimes referred to as 'the right to be forgotten.' This right is not absolute and only applies in certain circumstances. |
Right to restrict processing | Individuals can limit the way your organisation uses their data. When processing is restricted, you can store the data but you cannot use it. |
Right to data portability | Individuals have the right to move, copy or transfer personal data from one IT environment to another in a safe and secure way. |
Right to object | Individuals can object to the processing of their data in certain circumstances. For example, they have an absolute right to stop their data being used for direct marketing. |
Rights related to automated decision making including profiling | If your business uses automation to make decisions you are required to give individuals specific information about the processing and give them the right to challenge and request a review of the decision. |
For example, should a customer request to know what personal data you hold about them, they can make a subject access request (SAR) either verbally or in writing. It is your responsibility to comply with a SAR without undue delay, making reasonable efforts to find and retrieve the requested information.
Establishing processes to help you do this in the first instance will ensure you maintain compliance and respond to the rights of users, customers and/or employees quickly.
Update your privacy policy
Your privacy policy is your promise to your customers about how you handle their data. Make sure it's clear, concise, and up-to-date. Describe what data you collect, why you collect it, where you store it, who you share it with, and how long you keep it. Don't forget to include contact information for data inquiries as customers can request to see their data and ask for it to be deleted.
Implement security measures
Invest in security measures like encryption, secure passwords, and regular software updates. Keep data access limited to those who need it for legitimate reasons.
Train your team
Your employees are the guardians of your customers' data. Make sure they understand GDPR and how it applies to their roles. Provide training on data protection best practices, and encourage a culture of privacy within your business.
Seek legal guidance when in doubt
If you're ever unsure about GDPR compliance, don't hesitate to get legal help and advice. Consulting with a qualified small business solicitor who specialises in data protection can provide you with peace of mind and ensure you're on the right track.
At Lawhive, our expert solicitors are on hand to help you understand and navigate data protection processes and complexities, while helping you remain compliant. To get started, simply tell us about your case and we will give you a fixed-fee quote for fast, affordable support from an expert in commercial law.