GDPR for Small Businesses – A Complete Guide for 2023

The General Data Protection Regulations (GDPR) were designed to protect the privacy of individuals and give people more control over how their data is stored, collected, processed and used. The regulations came into force in the UK in 2018 under the Data Protection Act.

The Act was the UK government’s response to the implementation of the GDPR in the European Union. In practice, the UK GDPR and EU GDPR cover the same areas.

Nowadays, virtually all small businesses deal with sensitive information via the internet. No matter what type of business you run or how small or large it is, you must ensure that you safeguard sensitive information that is kept or transmitted digitally. This includes the personal details of your staff and customers, every business-related email you send, every payment that you accept, and many other everyday business activities.

All these types of activities are now governed by the GDPR. If your business deals with customers or suppliers in the UK or the EU, you must comply with the GDPR.

The UK GDPR sets out seven key principles that apply to the personal data of all EU and UK citizens. The principlesstipulate that data must be:

1. Processed lawfully, fairly and in a transparent manner in relation to individuals
2. Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
3. Adequate, relevant and limited to what is necessary for the purposes for which they are processed
4. Accurate and up to date. Inaccurate data must be erased or amended
5. Stored for no longer than is necessary for the purposes for which the personal data are processed
6. Stored and processed in a securely against unauthorised or unlawful processing and against accidental loss, destruction or damage
7. Handled in compliance with the law. The controller (the business) is responsible for abide by these principles and be able to prove so.

The GDPR applies to all data that contains personal information. Personal information includes a person’s name, date of birth, address, email address, banking details and any type of health, biometric or genetic information.

GDPR also applies to data that contains details about a person’s:

• Social networking sites
• IP address
• Race
• Ethnic background
• Religious beliefs
• Trade union membership
• Sexual orientation or sex life

The GDPR is overseen in the UK by the Information Commissioner’s Office (ICO). There are significant business implications of GDPR breaches. Being found guilty can result in:

• Warnings
• Compliance orders
• Prohibition notices preventing the organisation from processing or transmitting data
• Fines of a maximum of 4% of turnover or £18m – whichever is greater

The UK government and the EU are diligent about enforcing GDPR. The ICO issued 26 enforcement actions in the first quarter of 2022 and 15 fines ranging from £2000 to £200,000.

While high-profile cases such as the £183.39 million fine given to British Airways in 2019 may lead some business owners to think they can fly under the radar, this is untrue. In fact, there is so much legal action related to the GDPR that the UK is now looking at ways to stem the flow of low-value GPDR court cases.

The 2019 case against UK charity Mermaids shows how determined the ICO is to enforce the GDPR. Although Mermaids was a small not-for-profit operation of just 18 people and acted immediately to fix the issue, it was still fined £25,000 for failing to keep personal data secure.

Another example was the case of Eldon Insurance Services Limited, which was fined £60,000 by the ICO for sending emails to customers without their consent.

If you’re a business owner that isn’t that tech-savvy, achieving GPDR compliance can seem daunting.

Follow the below steps to make sure your business is complying with the GPDR:

• Appoint a DPO or GPDR officer: A Data Protection Officer (DPO) has special responsibilities to ensure the company stays GPDR compliant. Bigger enterprises that deal with large amounts of personal data are legally required to appoint an on-site DPO. Smaller businesses need to nominate a person who is responsible for ensuring GPDR compliance
• Review how you process data: Make sure that your data processing methods are fair, transparent, and lawful
• Review your contracts: All contracts for suppliers or customers should comply with the GPDR
• Minimise data: Only store or collect the minimal amount of data required
• Have accurate data: Keep all your databases current and accurate
• Store data safely: Store your data securely in one place and ensure that confidentiality is always maintained
• Keep records: Document and record all GPDR actions so you can prove that your business is compliant
• Train your people: Provide accredited GPDR training for your staff

Get help if you need it: Many business owners enlist the services of professional IT experts to help them stay GPDR compliant. The ICO also has resources available online that you can use to check your GPDR compliance

Most responsible business owners take measures to protect the health and well-being of their staff and customers and ensure they comply with legislation around things like fire safety, manual handling and working at height. Unfortunately, many businesspeople aren’t as well informed about what they must do to protect personal data. Business compliance courses can serve as valuable resources here, providing essential cyber and data security insights. These courses help remote workers adhere to privacy regulations.

Our GPDR training course will teach you and your team how to handle and process personal data in accordance with the law. The course runs for about half an hour and can be completed online.