As a small business owner, it’s likely that you will be familiar with GDPR and data privacy laws in some way – but how exactly does GDPR affect small businesses? And what actions do SMEs need to take to ensure GDPR compliance?
For small businesses particularly, GDPR regulations apply in slightly different ways, so it’s important to understand your responsibilities. This guide covers everything you need to know about GDPR for small businesses.
GDPR: a quick overview
GDPR (General Data Protection Regulation) came into effect in 2018. Since its introduction, people’s data privacy rights have become better protected, having implications on the way that businesses are allowed to legally process personal data.
Under GDPR, businesses have to provide more transparency about how they process personal data. This includes ensuring that all data is processed with consent, clear incentives, and under lawful bases.
The organisation must also give the individual of the personal data access to be able to make any amendments, review, or look into how their information is processed, which can be challenged by the individual. Furthermore, the organisation must protect individuals’ personal data from breaches and misuse.
What is defined as personal data?
Any information that can identify an individual in some way is what is classed as personal data. This data, under the GDPR, must be protected securely by any organisation that holds it.
Personal data can include:
- A full name, including any middle names, and surname
- An individual's home number
- Contact phone number
- An email address
- Photographs of employees
When it comes to racial or ethnic origin data, this is classed as sensitive information that goes into a special category. These types of personal information consist of:
- Racial or ethnic origin
- Religious or philosophical beliefs
- Political opinions
- Genetic, or biometric data
Does GDPR apply to small businesses?
Yes, GDPR applies to all businesses, no matter their size. Small businesses must comply with GDPR requirements, upholding the 8 rights that people must have over their personal data:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- Rights in relation to automated decision-making and profiling
It does not matter if the data is collected manually (pen and paper), or digitally through the cloud for example. Every business must ensure that secure measures are in place to protect an individual's data from unauthorised access and being misused.
Smaller businesses usually have to handle a smaller volume of data than larger businesses, but it is still important to maintain the same data protection processes that any larger business would have.
In regard to documenting your data processing efforts, there is an exception for businesses with fewer than 250 employees. For small businesses with less than 250 employees, documenting data processing is not required in all cases. It is only required if the data processing activity:
- Is a one-off or rare occurrence
- Could result in risk to data subjects' rights and freedoms
- Involves sensitive data relating to special categories, criminal convictions, or criminal offence information
How small business can stay GDPR compliant
Lawful data processing
All personal data must be processed under lawful bases in order to be GDPR compliant. The six lawful bases for data processing outline the conditions under which businesses can legally collect and use personal data. As a small business, it’s important to make sure that you and your employees are familiar with these processes to avoid hefty fines in the future.
To summarise, the 6 lawful bases include:
- Consent
- Contractual obligations
- Legal obligations
- Vital interests
- Public interests
- Legitimate interests
These processes link your data processing activities to lawfulness, transparency and fairness – which also helps develop a positive brand reputation as your business develops.
Consent
Consent is one of the six lawful bases of data processing. Consent should always be provided by the data subject in order for businesses to lawfully process their data. This is usually marked using an affirmative action, such as a consent form checkbox, where online users can use a tick box to consent to data processing.
As a small business, it is important to ensure that you acquire consent for all personal data processing activities.
Any personal information that you store must be kept up-to-date, with data quality processes in place to ensure data accuracy. This is a requirement under GDPR laws, intended to ensure that individuals’ personal data is protected.
For example, if a customer was to change their address details without informing you, the address details you hold in your database are now inaccurate. Not only is this information providing very little use to your business, it’s also a GDPR requirement to rectify this inaccuracy.
Using data cleansing, many businesses routinely check their data for inaccuracies. Prefer to leave it to the experts? We offer data cleansing solutions to keep your data clean, accurate and up-to-date.
It is recommended that every small business implements data quality assurance procedures, reviewing their data for inaccuracies and outdated information. One way that we help businesses do this is with our online data management platform, Online. This lets you upload, audit and resolve data errors – keeping your data clean and accurate.
Communication and transparency
For any small business considering the best GDPR practices, it’s important to focus on using plain language. All data processing activities should be explained in simple terms, helping data subjects understand how their data will be used. For instance, terms & conditions, privacy and cookie policies on your website should be clear and transparent.
Marketing
Customers have the right to withdraw their consent and opt out of marketing activities. Even as a small business, you must provide customers with the ability to opt out. For instance, you must provide a way for customers to unsubscribe to email marketing communications. This right also applies to other marketing channels, such as direct mail marketing. Customers have the right to ask not to be included in any kind of direct marketing campaign.
Right to access
Customers have the right to access the personal data that you store on them. At any point, customers can ask to access their personal data, and businesses must respond to this request within one month. Businesses must not request a fee, or charge the customer for requesting this.
Reporting data breaches
A data breach occurs when unauthorised individuals gain access to any personal data that you store in your database. This is usually illegal, and results in sensitive information being shared against the individuals’ will or consent.
Data breaches can occur for a number of reasons. Business databases may be hacked, or personal information may be revealed due to human error. For example, if a hospital accidentally disclosed patient records to the wrong individual, this would be an accidental data breach.
In the case of a personal data breach, you must assess the severity of the situation and evaluate the possibility of risk to individuals’ rights or freedoms. If there is a risk of this, then businesses should report the data breach to the ICO.
This applies to businesses of all sizes. As a small business, it’s particularly important to be aware of the potential risks of data breaches early on, and understand how to remain GDPR-compliant in case this occurs.
GDPR compliant services
How GDPR-compliant is your small business? Stay assured that your data processing and collection practices are lawful with our GDPR compliant services. Explore our data services, or get in touch to find out more about how we can help you.
CONTACT US