1. GDPR and the small business

Want to watch this video? Sign up for the course here. Or enter your email below to watch one free video.

Unlock This Video Now for FREE

This video is normally available to paying customers.
You may unlock this video for FREE. Enter your email address for instant access AND to receive ongoing updates and special discounts related to this topic.

Sign Up

GDPR applies to anyone who is processing personal data for business purposes, regardless of whether they are a sole trader or they are a small, new, limited company. 

The business or self employed individual who decides how and why the data is processed is the Data Controller and all of the General Data Protection Regulations and accountability complying would be there responsibility.

Businesses who are starting up have an advantage in as much as they can set up all of their processing activities to comply with GDPR, established businesses may need to adapt systems they have had in place for many years, even though they may well have complied with all of the old Data Protection Regulations, there may be some changes that need to be made. 

During the start up process new businesses owners can consider the data they need to collect from individual's and how they are going to obtain that data, they will need to decide how long they need to retain the data and who they may share it with.  By documenting their decisions from the start they will have a full data inventory to help them to create their Privacy Policy.

They will also need to decide what online systems they are going to need, examples may be Customer Relationship Management systems, accounts systems or web based mail systems.  

A new business can make sure that any online software or system they choose meets all of the requirements under GDPR and have adequate safeguards in place.  This is a great advantage over established businesses who may need to change over to a new online system if it is not possible for the one they are currently using to meet the general data protection regulations.

Examples of "Personal Data" in relation to a small plumbing business would be their customer's names, address, email and possibly bank information.  

An online retailer would hold personal data to enable them to send goods that have been purchased and take payment for those goods.

In both of the examples above the businesses hold the individual's name and address, this information makes the person identifiable and it is therefore deemed to be personal data. 

Personal data is data that identifies, either on its own or with other data, a living individual. 

When an individual provides you with personal data their data should be held securely, they don't expect you to lose it or sell it or do anything that abuses their trust.  In short you should only use their data for the purpose they provided it for.

All organisations that process data for any business purpose must tell individuals exactly what they are going to do with their data.  This is done by providing them with a well written, clear and concise Privacy Policy or Privacy Statement.

The Privacy Policy or Statement should provide information about the name of the business (Data Controller) and who to contact about data protection with a complaint or query if they need to. Other information that should be provided includes:

  • Your purpose for processing their data (for example to provide goods)
  • Your lawful basis for the processing (for example: contract, consent, legitimate interest)
  • Your legitimate interests for processing (if this is your lawful basis you will need to explain what your legitimate interests are)
  • The source of the data collected (if it was from a third party not the individual)
  • All of the categories of personal data (contact information for example) if the personal data is not obtained from the person it relates to
  • Who you may share their information with
  • Details about any transfers to third countries or international organisations (if this applies)
  • How long you will hold or store their data (retention period) this should be set out in your retention policy
  • The rights available to the individual  (for example, right to access, right to object)
  • The right to withdraw consent (for example from marketing)
  • The right to lodge a complaint with a supervisory body (including link to the Information Commissioners Office website)
  • The existence of any Automated Decision Making including profiling (if this applies it would be due to solely automated decision making for example a site that has automated decision making for loans)

If you have a website you should have a Privacy Policy on the site that is easy to locate, emails should include a link to your privacy policy to make it easy for customers and individuals to access it.  If you don't have a website, privacy policy information should be made available when you first contact an individual by attachment to an email or enclosed with written correspondence.

When setting up a new business you need to be aware of the General Data Protection Regulations.  The ICO website contains a lot of information for all businesses it is free and will provide you with guidance, below is an example of the steps you should consider:

  • Register with the ICO 
  • Pay the registration fee - (this is approx £40 for small businesses)
  • Make a list of the personal data you will need to collect from your customers
  • Identify your lawful basis or bases for processing the data you collect ( there is an interactive tool on the ICO website to help you)
  • Decide how long you will need to hold the data for and create your retention policy
  • Make sure any online systems you will use (for example customer relationship management or accounts systems) comply with GDPR
  • Make sure that you have listed any company or organisation you will share the data with (and that you have suitable agreements in place)
  • Create your Privacy Policy
  • Create a data breach register and a policy for dealing the them
  • Create a register to make a note of all subject access requests and a policy for dealing with them
  • Make sure that you and any staff have adequate training and understanding of the privacy principles and data subjects rights

As a new business, what does it cost to become GDPR compliant?

All businesses are different and there is no "out of the box" system that can make you GDPR compliant.  Ensuring that you understand the privacy principles and apply them will go a long way to helping you remain compliant.

There is a lot of information and help available to businesses on the Information Commissioners website and they have a helpline if you have any questions or need clarification. Information Commissioners Office