The introduction of the GDPR has been described as the most important change in data privacy regulation for 20 years. So, how could it affect your small business?

Will my business be affected by the GDPR?

Under the GDPR, “personal data” is defined as: “Any information related to a natural person or ‘data subject’ that can be used to directly or indirectly identify [them]." This could be:

  • their name
  • a photograph of them
  • their email or postal address
  • bank account details
  • medical information
  • computer IP address

The GDPR applies if the data controller (i.e. the business or organisation that collects data) or the data processor (ie the business or organisation that processes data for the controller) or the data subject (person to whom the data refers) is based in the EU.

Even if a controller or processor is based outside of the EU, the GDPR will still apply if they’re collecting or processing data relating to people who live in the EU. 

Under the GDPR, controllers must ensure that personal data is processed lawfully, transparently and for a specific purpose, after which – if the data is no longer required – it must be deleted. 

The GDPR will apply to all business that store and process the personal data of data subjects living in the EU. So, UK companies collecting or processing personal data must comply with the GDPR, because the UK will not leave the EU until after May 2018. And according to the ICO: “The government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR.” 

Even after the UK leaves the EU, UK firms collecting or processing the personal data of people living in the EU will have to comply with the GDPR.

What if I don’t comply with the GDPR?

If your business does not comply with the GDPR, it could be hit with a fine of up to 4% of its turnover, while fines of up to €20m will be payable for more serious data breaches. 

The size of a fine will be determined by a range of factors including: 

•    Whether the infringement was intentional or not.
•    Whether adequate steps were taken to mitigate risk.
•    Type of personal data.
•    How many people were affected.
•    How much damage they suffered.
•    How long the infringement lasted. 
•    How the ICO found out about the infringement.

The Information Commissioner’s Office (ICO) can impose a penalty on a data controller (which could be a small business) of up to £500,000. You can appeal, either the penalty or the amount. Fines are paid to the Treasury, not the ICO.

Steve Wood, ICO Deputy Commissioner for Policy, warns of other damage that your business can suffer if it fails to manage customer data properly. “Failing to get data protection right is likely to damage your reputation, your customer relationships and, ultimately, your finances. That goes way beyond increased fines – think brand damage and a subsequent loss of custom,” he explains.
 

How can my business get ready for the GDPR?

Will my business be in breach of the GDPR?

The GDPR: “what if?” scenarios

What if I only collect customer email addresses?

Find out more

They can be used to identify them, so the GDPR applies. If you market your business by email, you must comply with GDPR requirements. When collecting customer email addresses, not only will you need their consent, but you’ll also need to explain how the data will be used. You cannot have a ‘pre-ticked’ opt-in box on your website or use email to promote products/services beyond the reason the customer initially gave their consent.

Close

 What if someone else processes the data my business collects?

Find out more

As the data controller, under the GDPR, you must ensure that your contracts with processors comply with the GDPR, whether they’re based in the EU or not. The GDPR also applies to cloud-based data storage systems if the controller, processor or data subjects are EU-based. In any case, as an EU-based business, if you collect personal data, the GDPR applies.

Close

What if I want to continue sending marketing materials to people on our existing marketing database?

Find out more

You’re unlikely to have to refresh existing consents if they meet DPA requirements. To be sure, check how consent was obtained. If consents do not meet the GDPR standard, you’ll need to seek new ones that are. Consent should be freely given, specific, informed and unambiguous.  

Close

What if a customer asks me what data I hold about them?

Find out more

Under the GDPR, a customer has the right to know what information you hold about them and how it’s processed. They can ask you to correct it if it’s inaccurate. And they can ask you to delete it if is no longer required for the purpose for which consent was given.

Close

What if I only store personal data in a manual filing system?

Find out more

The GDPR applies to automated personal data and manual filing systems where “personal data is accessible according to specific criteria”. According to the ICO: “This could include chronologically ordered sets of manual records containing personal data”. So, the GDPR can apply, even if you only store customer addresses in a paper-based filing system.

Close

What about customer personal data I collected years ago? 

Find out more

If you used an online campaign to request email addresses for those wanting to receive your newsletter, but no longer use them for this purpose, delete them. If someone hacked into your system and used the data for ‘phishing’ [ie fraudulent emails that seek to get people to revel their passwords or credit card details], you could be severely fined. 

Close

How can I find out more about complying with the GDPR?

The website of the Information Commissioner’s Office (ICO) features a considerable amount of information aimed at helping business to comply with the GDPR. 

The ICO recognises that GDPR compliance can be a challenge for small businesses. The Information Commissioner, Elizabeth Denham, says: “All organisations have to get ready for the new data protection rules, but we recognise that the 5.4 million small businesses in the UK face particular challenges.

“[They] want to be ready when the new law comes into force in May 2018, but they often struggle to know where to start. They may have less time and money to invest in getting it right and are less likely to have compliance teams, data protection officers or legal experts to advise them what to do.”

The organisation has launched a new phone line service will offer additional, personal advice to small businesses. All you need do is call 0303 123 1113 and select option four to speak to support staff. According to the ICO: “As well as advice on preparing for the GDPR, callers can also ask questions about current data protection rules and other legislation regulated by the ICO, including electronic marketing and Freedom of Information.”

The Federation of Small Businesses has also published information about the GDPR, how to prepare for the GDPR and how the GDPR could affect small businesses. The Forum of Private Business has also published a guide to the GDPR

Next Steps

Find out more about GDPR from the ICO

There's a wealth of information and advice about what you need to do, including 12 steps to take now

Read more

Keeping your business data safe and secure

Even the smallest business can have masses of data, which if lost would at the very least be inconvenient, or at the worst, disastrous.

Read more

Stay informed

Register or Login to add this article to your reading list.

Share this