Skip To The Main Content

How could GDPR affect my business?

  • Blog
  • 12 October 2017

The General Data Protection Regulation (GDPR) will replace the current Data Protection Act in May 2018. If you process personal data, it will apply to you. But how exactly could GDPR affect your business?

From new business responsibilities to the impact of time and costs, we explain the effect GDPR could have and what you should know so you can start preparing.

How could GDPR affect my business?

Your business responsibilities

Different businesses store a lot of personal data, from banking information to phone numbers, emails and home addresses of their employees, customers, contractors and prospects.

GDPR will see  individuals have more control over their own personal data. This means that when handling an individual’s personal data, you will have a responsibility, as a business, to meet their rights.

Individuals will have eight rights. These are:

  • The right to be informed how you use their personal data
  • The right to access their personal data
  • The right to be forgotten and have their data deleted in specific circumstances
  • The right to data portability to transfer their data to another service provider
  • The right to have information corrected if it’s out of date, incomplete or incorrect
  • The right to object to, or stop, their data being processed on certain grounds
  • The right to restrict processing, meaning they can request that their data is only kept on file and not used for processing
  • Rights in relation to automated decision making and profiling, meaning that in some cases individuals have the right not to be subject to a decision that is based on an automated process.

To  allow all of these rights, you should make sure your business has the right processes in place to respond and react effectively, without your company being affected. You can learn more about individuals’ rights in our article How to prepare for GDPR.

Your company processes

Many people class GDPR as an IT issue, which mainly concerns your computer systems and how you store personal data. This includes business processes such as how your client files and passwords are stored. However, it could also affect other processes across your business, from project management to networking.

Projects – When starting a new business project, you should consider data protection, such as if the project will involve information about individuals. If a project involves processing personal data you’re likely to have to conduct a privacy/data impact assessment to determine any possible risks and how they should be addressed.

Sales and marketing – You should make sure your sales and marketing processes are compliant with GDPR, such as opt-in-and-out rules, email marketing best practices and tracking online behaviour. Even if you use data from an outsourced company, you’re still responsible for getting the consent information.  

Records – You must be able to prove an individual has given consent to receive communication from you, such as a newsletter. This includes an audit trail to show what they have opted into, how and when.

Security You should ensure your business security systems is equipped to spot and react to breaches quickly, as certain breaches  must be reported to the Information Commissioner’s Office  within 72 hours. In some cases you also have to inform those individuals affected by the breach.

Networking – You should be cautious about how you collate information when networking. While you can still meet a potential client, ask for their business contact details and arrange to meet for a coffee, for instance, you can no longer then just add their details to your company mailing lists without compliance with the regulations.

Time and staff

Making changes to your business’s work processes to meet GDPR guidelines is likely to take time. This is time that would otherwise be spent developing other parts of your business.

You’ll also need to react quickly to an individual’s request to, for instance,  access or remove their personal data from your records, stop their data being processed, or be  provided  with details of their personal data. Ensuring you can do all this is likely to be time consuming, which could affect a small business where time might not be available. It’s therefore important to start planning ahead now to make time available for  any necessary changes to your processes.

Most small businesses will not have to appoint a Data Protection Officer (DPO). Determining whether or not you need to recruit a DPO isn’t about the size of your business or its turnover. It concerns you if you process vast amounts of personal data and what you do with it. Recruiting a DPO applies to a business if it:

  • Is a public authority
  • Regularly carries out data monitoring of individuals on a large scale. This includes market researchers and companies that carry out online behaviour tracking
  • Carries out large-scale data processing across special categories, for instance, relating to criminal convictions and offences

Regardless of all this, you can still appoint a DPO. If your business is part of a partnership, you can also appoint a DPO to cover both companies. If you choose not to appoint one, you must still make sure staff are aware of GDPR, are trained and have the right skills to handle  it.

If you do appoint a DPO, that person will be responsible for making sure the personal data processes, activities and systems in your business all meet the requirements of the law.

Costs and fines

The changes you’ll have to make to your company for GDPR could have an impact on your business costs. These could include costs associated with the time you spend putting the necessary processes  in place and costs to train your staff.. So it’s important to plan in advance and consider your business finances to ensure you can cover such costs.

 Businesses need to comply with the new regulations or run the risk of receiving a sanction, including fines. Fines could be as much as 4% of your annual global revenue or €20 million, whichever is greater. This could be detrimental to your business.

How we can help you prepare for GDPR

GDPR could affect your business in many different ways, from taking on new responsibilities to give your customers new rights, to the time and costs needed to make changes to your company. So it’s a good idea to use a third-party expert to help do the work for you.

FSB members are supported with advice and guidance to develop simple step-by-step plans to prepare their business for GDPR and maintain compliance.

FSB Business Essentials members have access to:

  • Telephone advice line to ask questions about GDPR compliance
  • Online fact sheets and checklists for different areas of small business GDPR
  • Instructional videos, which includes an overview of GDPR
  • Third-party insurance on data protection

To find out more about how we can help your business with GDPR compliance, please visit our FSB Legal Hub and FSB Cyber Protection pages. The services are included as standard with our Business Essentials package. Please take a look at our product comparison page to find out about the benefits of this and our other packages.

Cyber Protection from FSB

FSB Cyber Protection includes an insurance policy with cover of up to £10,000 and an unlimited use helpline to answer all your Cyber Security questions.

Find out more