Guide to GDPR for small businesses

What is GDPR?

GDPR is a set of regulations that companies and organisations must adhere to regarding how they collect and store data about and belonging to employees and customers. If businesses breach GDPR rules, they could face a substantial fine.

It’s worth noting that GDPR itself is relevant to countries in the European Union and no longer applies to the UK after it left the EU in January 2020. However, UK companies still have to follow newly-created UK GDPR rules – which consist of similar regulations[1].

Does GDPR apply to small businesses?

GDPR is relevant for small businesses that handle any personal data – from anyone[2]. This includes staff, customers, and clients. Essentially, if you take, process, or store any personal data or identifying information, you need to comply with GDPR rules. No matter the reason.

What counts as personal data?

Personal data is any piece of information that could help identify a person. This includes[3][4]:

• Personal details – such as names, addresses, and phone numbers
• Medical information – including medical records and ID numbers (for example, someone’s NHS number)
• Forms of identification – these don’t even have to be formal, named documents such as a passport. A photograph is enough
• Numbers and codes – this includes customer reference numbers and even IP addresses
• Reports and reviews – don’t forget about employee and school reports and even customer reviews.

What size of company must comply with GDPR?

Generally, companies with 250 employees or more are required to comply with GDPR rules. However, GDPR is still relevant for small businesses with fewer than 250 employees if they process personal data as a regular part of their business operations.

If you employ fewer than 250 people, separate data processing rules still apply. According to the Information Commissioner’s Office (external link) (ICO), this means documenting data processing activities that:

• Are more than just a one-off. For instance, if you’re an IT consultant or accountant who processes client data as a matter of course
• May risk the rights and freedoms of people. If the information is especially sensitive
• Use special category or criminal conviction data.

How to comply with GDPR

Ensuring that all the data your company collects is processed correctly and all GDPR rules are complied with can be a little daunting, especially for small businesses. But there are things you can do to understand what you need to do and to help avoid a dreaded data leak.

Audit your personal data

Make a list of the different types of personal data you process. For example, the list could include:

• Customer addresses
• Client phone numbers
• Customer reference numbers.

Note that you shouldn’t be writing down the personal information itself, but rather just the categories of information you handle. This will help you get to grips with what exactly you process day-to-day.

Consider why you have it

Once you’ve got everything in front of you, analysing why and how you use this data helps to identify the best way to process it. It also helps with ensuring those processes adhere to GDPR.

It’s best to make sure that any data you collect is handled on a lawful basis, and that you have a legitimate reason for collecting it. You should never gather or use people’s data in ways they might not be aware of or comfortable with[5]. If you find you hold any data that was gathered, or is being used, in this way, this is likely not lawful or compliant with GDPR.

Understand whether it’s lawful

There are six types of lawful basis defined by GDPR regulations. These help to determine whether the information is legal to process.

These are[6]:

• Contract – do you have a contract with the person whose data you’re processing?
• Consent – has the person agreed for their data to be taken and used? Can they revoke their consent?
• Legal obligation – do you need to collect this data to comply with the law?
• Legitimate interests – do you take full responsibility for how the data is processed?
• Vital interests – is the data being used to protect the person’s vital interests (their life)? This might apply in life-and-death and emergency situations
• Public task – are you using the data for the sake of public interest?

The ICO has a helpful lawful basis checker (external link) you can use to see under which category your data can be used.

Ensure you’re transparent about how you use data

As a business owner or leader, you need to ensure you explain what data you’re collecting and exactly how and why it’s being used. This will involve writing a consent request, which sets out your intentions for using people’s personal data.

A consent request must include[7]:

• Business details – your company name and the names of any affiliates who will be using the data
• Purposes for collecting the data – why and how are you going to use the data?
• Consent withdrawal notice – people need to be notified that they can withdraw their consent at any time.

Check that your current data entry forms are compliant

You may also want to evaluate the existing ways in which you ask for people's data. Ensuring you ask in a consensual and lawful way helps you comply with GDPR.

One of the most common ways to structure GDPR-compliant data entry requests is to use opt-in options on consent request forms[8]. For example:

• Tick boxes
• Yes/no options
• Signatures
• Opt-in buttons.

Whatever method you choose, the options for the answers given to questions regarding consent must be unambiguous. 

Another way to keep track of your data entry forms, and the data they collect, is by creating an audit trail. This helps you know when consent was given and under what circumstances. You may want to maintain records of the forms used and whether they’re compliant with lawful basis and consent request regulations.

Understand people’s individual rights

People’s data is their own – so they have rights over it. By law, they can ask you to stop using it or alter their consent at any time.

There are eight individual rights that businesses must adhere to when processing data. However, some may become more relevant for smaller businesses. These include:

• Right of access –the right to request access to personal data
• Right to object – the right to oppose parts of the consent request or data processing
• Right to be informed – the right to be told how and why data is being used
• Right to rectification – the right to ask for data to be changed or corrected
• Right to erasure – the right to ask for data to be deleted.

Consider how these rights relate to your business

Now you’ve got a sense of the wider picture, and the ins and outs of GDPR compliance, the next step is to reflect on how these rights relate to how your business processes data.

For example, if you’re an events company that’s collecting data to create your latest email marketing campaign, you might utilise the following information customer information:

• Names
• Email addresses
• IP addresses.

This means individual rights would be applicable in the following ways:

• Right of access – after seeing your targeted content for events in their area, a customer might request that they would like to see how you know their location
• Right to object – the customer might not be happy that you’re using this information in this way, so they may request that their IP address not be used for targeted marketing
• Right to be informed – a customer may see you’re requesting their personal information on your site. Before they input this data, they might contact you to ask how and why you need it
• Right to rectification – a customer might notice that you’ve misspelt their name in one of your emails
• Right to erasure – a customer may not want to receive emails from you at all and ask for their information and email address to be removed from your records.

Working processes into your operations to allow for these to be upheld could help to make GDPR compliance come more easily to your business.

Get up to speed with the terminology of GDPR

You’re nearly on top of GDPR – but there are a few pieces of jargon that may prove important to help you fully understand the issue.

For example[9]:

• Data subject – this is the person who can be identified through the personal data collected
• Consent – permission is given by the data subject to allow the use of their data
• Processing – how personal data is used in business operations
• Data controller – the body (either individual or authority) that decides how personal data is to be processed
• Data processor – the body (either individual or authority) who processes the personal data on the command of the data controller
• Lawful basis – a valid reason for collecting and processing personal data.

 Invest in people with the right skills

Whatever personal data you handle, and however much, having the right people with the right expertise can help your small business to stay on the right side of the rules. This might come in the form of hiring a data controller and data processor or investing in training for your existing team.

When you buy cyber and data insurance with Hiscox, you get access to free training as part of the CyberClear Academy, which could help to boost your organisation’s wider data security knowledge. 

 

[1] https://gdpr.eu/what-is-gdpr/ (external link)

[2] https://ico.org.uk/for-organisations/sme-web-hub/key-data-protection-terms-you-need-to-know/#lawfulbasis (external link)

[3] https://ico.org.uk/for-organisations/sme-web-hub/key-data-protection-terms-you-need-to-know/#lawfulbasis (external link)

[4] https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/key-definitions/what-is-personal-data/ (external link)

[5] https://ico.org.uk/for-organisations/sme-web-hub/getting-started-with-data-protection-top-tips-for-beginners/ (external link)

[6] https://ico.org.uk/for-organisations/sme-web-hub/key-data-protection-terms-you-need-to-know/#lawfulbasis (external link)

[7] https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/consent/how-should-we-obtain-record-and-manage-consent/ (external link)

[9] https://ico.org.uk/for-organisations/data-protection-fee/legal-definitions-fees/#controller (external link)