What is GDPR? Understanding GDPR compliance for small businesses

Since its approval by the EU Parliament in April last year, thoughts of GDPR (General Data Protection Regulation) have probably been looming in the mind of most small businesses and aspiring entrepreneurs. For many, the question is: what is GDPR and where do you start with GDPR compliance if you're a small business? Well, with only a few months to go, now’s the time to get prepared.

The truth is that every business will have to become GDPR compliant once the new regulation is introduced on 25th May 2018. That means GDPR compliance for small businesses is as important as it is for large corporations. Learning about what the new regulation means and ensuring your new small business is GDPR compliant as soon as possible is a must. But don’t worry. We’re here to simplify everything you need to know about the new laws and answer the questions you’ll have as a small business owner.


What is GDPR?

GDPR is a new set of regulations around data privacy with two main aims: 


1) To strengthen data protection policy by giving EU citizens more control over their personal data and what the data is used for.

2) To modernise and simplify the data regulations for businesses that operate in the EU. 


The overarching purpose of the regulation is to give power and privacy back to the people whose data is collected and often sold for money. It is also designed to encourage companies to uphold a framework that takes data protection seriously. Failure to comply will result in a harsh financial penalty (up to 4% of that company’s global turnover, which would be a huge loss for any business regardless of its size), and individuals will be able to sue businesses for compensation if they think their data has been misused or mishandled.


Does GDPR apply to me?


GDPR recognises that small businesses require different treatment to larger ones. This is why Article 30 of the regulation declares that organisations with less than 250 employees will not be bound by GDPR compliance unless the processes the organisation carries out are likely to pose a risk to the rights and freedoms of their data subjects. 

This gives the impression that a lot of small businesses won’t be affected by GDPR – but in reality, collecting and storing any category of personal data such as health data, racial or ethnic origin, religious beliefs and/or sexual orientation will mean that GDPR compliance is required by law.

If you’re still unsure of whether or not GDPR compliance is something that applies to you, then consider how often your organisation will be handling the personal data of its clients, employees and suppliers. If data processing is going to be a regular part of business procedure, then you should abide by GDPR. 


What about Brexit? 


Regardless of our impending exit from the EU, when the law comes into force on 25th May 2018, we’ll still be a member of the EU. This means we will still be obliged to comply with EU laws. It remains to be seen whether the rules will change once the UK leaves the EU, but for now, British firms will be required by law to make changes in order to become GDPR compliant. We have only an inkling of what life will be like for small businesses upon the UK’s leaving of the EU, but one thing we do know is what will happen if they don’t become GDPR compliant – a lot of hassle and heavy fines.


How can I ensure my business is GDPR compliant?


The next step on your journey to compliance is to learn exactly what you need to do. Here are the three key processes that all businesses should follow to ensure they’re safely ticking all the right boxes for GDPR compliance:


1. Recruit or appoint someone to handle GDPR compliance

Even if there are just a couple of people in your business, appoint a designated Data Protection Officer who should have a demonstrable and comprehensive understanding of GDPR. Currently, the regulation states that only public authorities that carry out “regular and systematic monitoring of individuals” are required by law to appoint a DPO. But even if it’s not a legal requirement for you to have a DPO, it is advisable to appoint someone to be responsible for compliance. This doesn’t have to be a full-time, in-house member of staff; for small businesses where everyone is too busy, outsourcing this person might be the most cost-effective option. 

2. Introduce a company cyber security strategy

Data breaches, thefts or losses of personal data must be reported within a maximum of 72 hours. In the past year we’ve witnessed a surge in cyber attacks on small businesses all over the world. To safeguard your company against data breaches and give it the best possible change of returning to business as usual, a company-wide strategy should be put into place that addresses where the data is kept, who is able to access it, how to identify data breaches and who it must be reported to. Introducing a comprehensive, robust cyber security strategy and bringing in a professional to educate your workforce on cyber security is a sensible investment. Check out our blog on how to spot the red flags of cyber attacks for more information.


3. Never process data without explicit consent 

Ensure that consent is explicitly given by all people whose data you hold and that you retain proof of this consent. Privacy policies must be updated to include why your company wants their data and how it is going to be used so that individuals have a clear understanding of what they are opting into. Customers must also have the option to withdraw their consent at any time.  If you mishandle this data and use it in ways that the individual hasn’t approved, they can build a strong case against you.

The sooner you start prioritising GDPR compliance for small businesses, the better off your business will be. Doing nothing isn’t an option, so make sure you’re staying ahead of the game and maintaining a competitive advantage by getting GDPR compliant as soon as you can. You can find more advice tailored to the needs of small businesses in our help centre