A Guide to GDPR for Small Businesses

Since the 25th of May 2018, all organizations – regardless of their size or location – that process personal data for EU citizens are subject to the General Data Protection Regulation (GDPR). And in that aspect, you will find that even the smaller businesses do maintain a database for their employees, customers, or business associates, and so, they are also required to comply with the new GDPR regulations. By processing personal data, what we basically refer to is any form of activity performed on personal data, including collecting, storing, sharing, modifying, or deleting the data, and most small businesses in the UK do this. Now, in this article, we will take a look at GDPR guidelines for small businesses, plus what the business owners can do to ensure full compliance.

What does GDPR mean for small businesses?

Practically, the way in which the GDPR regulations affect large organizations is similar to what the regulations mean to smaller businesses. As long as the business processes personal data for people in Europe – data that can be used to identify them – then the business is subject to the regulations, regardless of how the data is maintained. Having said that, here are some of the main effects of the regulations on small businesses:

Consent – the new regulations meant that businesses don’t necessarily need consent to process personal data. Being one of the six lawful bases of GDPR compliance, plus the complexity of obtaining and maintaining the consent, it should be applied only when the other bases don’t apply. And when it comes to obtaining the consent, the business must get a clear and affirmative action such as putting the consent on paper to refer to just in cases conflicts arise.

Marketing – when it comes to marketing, small businesses can now market to anyone, provided that the processing of data meets certain guidelines. For starters, when accessing the information, make sure that it is as per the laid out lawful bases. Secondly, in using the data in your marketing, make sure that you do so in a manner that minimises the impacts on the subjects’ privacy, and last but not least, you must be reasonably sure that whatever it is that you are doing, the data subjects won’t object. And if the processing is subject to the Privacy and Electronic Communications Regulations, you must inform them about your plans.

Right to access – as you may know, GDPR regulations did give data subjects the right to access any of their data being processed by businesses. So, this means that if any of the data subjects request to review the data that they have already submitted, the businesses must allow it.

Data breach – in case of any data breach, the small businesses must report it within 72 hours from the time they knew of it. Cyber attacks are pretty common these days, and in order to mitigate the risks, be sure to inform the relevant agencies ASAP.

How can the businesses comply with the GDPR regulations?

When it comes to compliance, here are a few things that small businesses could do to ensure that they are compliant with the GDPR regulations:

Auditing the dataauditing the data that your business maintains is very crucial as it will enable you to make informed decisions on how to comply with the laid-out regulations. During the audit, some of the main issues that need to be looked at include;

  • Where the data is stored
  • The kind of data being processed
  • What are the lawful bases for processing data?
  • Who can access the data
  • For how long has the data been retained?
  • And, are there any technical or organisational controls for data processing data?

You must address all these areas, as it will help you decide on the best cause of action to take for your business towards GDPR compliance. Also, it is recommended that small businesses need to carry out data protection impact assessments before processing personal data so as to ensure that data protection is in place, both by default and also by design. It will also help the businesses in identifying any risks the data subjects may be exposed to as a result of the data processing.

The businesses must also audit their service providers – the truth is, as per the GDPR guidelines, it is important that you figure out whether your service providers are compliant with the guidelines before you even get into business with them. This is an area that a lot of small businesses overlook, and it’s where significant risks reside. So, for this reason, it is important that you carry out an audit on your service providers, particularly those that process personal data on your behalf. You will need to review and sign agreements with the providers. Remember, under the new guidelines, the controller is obliged to sign contracts, and it’s these contracts that guide the data processor. Keep in mind that if any of the service providers are not compliant with the GDPR guidelines, then, any work that they carry out relating to your data subjects will be deemed non-compliant, and that means it will put you, as the data controller, at risk of being penalised.

Must meet data subjects’ rights – the GDPR guidelines did introduce a few rights for EU citizens with regards to their data: one of them being the right to erasure, and secondly, the right to portability of their data, the right to rectification and restriction to processing, and also the right to receive a copy of their personal data. Small businesses in the UK must facilitate all these rights, and since there may be many requests from the data subjects, the businesses must have procedures in place to deal with each and every request. Failure to do this translates into a violation of GDPR guidelines, and that means your business will be penalised.

Controllers and processors – under the new GDPR guidelines, there is a data processor and a data controller, and you have to determine which one you are. In simple terms, a data processor is a business that does process personal data on behalf of the data controller, whereas a data controller is the one that determines the manner in which personal data is to be processed. Both the controller and the processor are affected differently by the GDPR guidelines, and we must also note that a business can be both. Something else is that a data controller can have multiple processors under the new guidelines, and the processor can also delegate processing to multiple sub-processors. But, it is the data controller who will be held responsible for the actions of the processors that they work with. So, it is important that the business (controller) select processors who are not only compliant with the new GDPR guidelines, but also ones that they can trust. Must sign data processing agreements with them, which will govern the relationship between the controller and the processors, as well as the sub-processors. This agreement must cover all aspects of data protection governance as detailed under the GDPR law.

What are some of the penalties for non-compliance?

Let’s face it, the enforcement procedures, as well as the penalties associated with non-compliance of GDPR guidelines, are most certainly the aspects keeping small business leaders on their toes, paying close attention to their data processing procedures. Non-compliance is met with hefty penalties that could potentially run into millions of pounds. To be precise, penalties fall under two categories; 20 million pounds or 4% of the business’s annual turnover – whichever is high. Other than these penalties, data protection regulators might stop any data processing activities from being carried out from that point onwards.

Also, we can’t ignore the fact that being penalised will, of course, create so much attention from the public, which means that the business will incur massive reputational damage, which could in fact be more severe compared to the penalties themselves. To make the matters worse, your competitors will be prepared to use GDPR non-compliance as a competitive advantage to surpass you in the market.   

Is hiring a Data Protection Officer necessary?

In some cases, it is absolutely necessary for businesses to recruit a Data Protection Officer (DPO), as it’s set out under article 37 of the new GDPR guidelines. Since it’s most likely that every aspect of your business operations will be affected by GDPR, it is going to take a lot of hard work to ensure full compliance, and quite honestly, it is recommended that you assign all the work to one person, rather than have multiple employees deal with it. The individual you will assign the work to is referred to as a DPO and will be one whom you can hold responsible if anything was to go wrong. If your business is based outside of the EU, but you still process data for EU citizens, you will be required to hire a representative based in the EU to facilitate regular communications with the regulatory agencies.

Final thought

As we conclude, we can tell you one thing for sure, compliance with GDPR is crucial to small businesses as it is for multi-national corporations. And having a DPO handle everything for you will certainly give some peace of mind, given how critical it is to abide by the new guidelines. And remember, you can’t use lack of knowledge as an excuse for why you are not compliant. If anything, you must look at how you process data, whether you are a processor or a controller, and ensure that you have proper policies in place, governing the process. Also, you must have safety measures in place to protect personal data from data breaches, and in the unfortunate event it occurs, you must have procedures in place dictating how to handle the situation.

Leave a Comment

Your email address will not be published. Required fields are marked *