GDPR for small businesses: How to stay compliant

Blogs 17 Jun 2020

Our guide to keeping your data secure and your business safe.


It’s now been over two years since GDPR, or General Data Protection Regulations, came into force in the UK on 25 May 2018. Understanding the impact of GDPR and the importance of being compliant might seem like a big task to small business, especially because of the global scale. Whether you’re new to business or just need a refresher, being aware of the sufficient procedures you need in place when handling individuals’ data is important if you want to avoid any fines!

So, what sort of things should you be thinking about in order to ensure your business is compliant with GDPR? We’ll walk you through what you need to consider when it comes to GDPR for small businesses.

Keeping it in mind from the start

GDPR is a vital aspect of a business’ operation, so it’s something you should keep at the forefront of your mind each day.

If you’re an already established business, there are things you will have changed or implemented into your business to ensure full compliance with GDPR, and these are worth checking. This will ensure that your business is as protected as possible from any liability.

For example, you may need to check and amend any data entry forms that you currently use so that it’s structured differently, and to show that the data is necessary for your purposes. Or, you may have to add in extra security measures, such as a stronger firewall, to ensure your data is as secure as possible.

If you’re looking to start your own business, however, then it would be helpful to prepare for GDPR early in your business planning stage. This way you can hit the ground running, without having to worry about any potential data compliance issues.

Planning what you need to do in advance will help make it easier to implement your data protection methods and policies.

The eight rights are the same for each business

One of the most important things you should keep in mind when considering GDPR is that small businesses have to adhere to the same eight rights that apply to large businesses. This includes the right for consumers to have access to the personal data you hold on them, and the right for them to object to the way you make use of their data in certain circumstances.

The main difference since GDPR came into effect is in how much you have to do to provide these rights. A small business, for instance, will generally handle a far smaller volume of data than a large business. Even though the volume may be less, you still need to have the necessary procedures in place to be able to protect individuals’ data and to deal with their requests, as per the requirements of GDPR.

GDPR affects the way your business operates.  It might be that you have reviewed the details in your privacy policy, to make it clear that the individual has the right to object to or withdraw their consent to your processing of their data. The collection and usage of data should be transparent and secure. Since GDPR came into effect, customers have greater rights in controlling how you use their data.

For example, if you only hold a small amount of personal data on your customers, a simple secure database might be enough to keep the data easily accessible and readable. This should also make it easy to amend if someone requests that you update or delete their information from your records.

Do I need to hire staff to look after GDPR in my business?

It’s important that you take the necessary steps to become and remain compliant, or face penalties. If you’re a new business, you should be reviewing the roles that everyone will undertake.

Public authorities and businesses that do large scale monitoring or large-scale processing of certain types of data are required to appoint a designated data protection officer (DPO). It should be noted that this isn’t a requirement for most small businesses.

That said, however, it might still be beneficial to take the principle on board, so that it’s easier to comply with GDPR. Hiring a staff member is one option, but it might be more effective if you reshuffle your existing staff roles so that there are one or two staff members who handle the majority of your business’ data-related obligations. If you do decide to this, it’s advisable to make sure they are properly trained and are fully aware of the different aspects of GDPR. This might give your business an easier time handling data and the GDPR regulations going forward.

How can FSB help your business with GDPR?

GDPR has affected many businesses since it was introduced, from new responsibilities and expanded customer rights, to the time and costs needed to implement and maintain any changes to your business.

So, it’s a good idea to have a professional on hand to help you.

FSB members have access to our Legal Hub, which is home to expert resources and guidance on everything you need to know about data protection, giving you peace of mind that you’re staying compliant.


 

FSB Legal Hub

Factsheets and downloads for: Employment Law, Taxation Matters, Business Law and Health & Safety information. All free. As well as monthly bulletins

Find out more