GDPR: A guide for small businesses

After years of discussions and developments, new data protection rules are soon to be enforced. The General Data Protection Regulation (GDPR) will be implemented throughout Europe on May 25th meaning businesses are likely to have to make changes to their activities.

While the largest companies could see the biggest fines for non-compliance (up to €20 million), as a small business owner a fine of 4% of annual turnover could still be catastrophic to your income.

So regardless of whether you are a personal trainer or a professional dog walker, the rules remain the same. Adapting your business practices to follow the new rules is not only essential, but could also be beneficial in some ways.

The full GDPR guidelines can be found on the Information Commissioner’s Office (ICO) website, but there are a number of key takeouts that small business owners should be aware of in particular.

What data do you hold?

It’s important to be clear on what personal data you hold and how you intend to use it. This information could range from people’s names, email addresses and phone numbers, to their telephone numbers and addresses.

The GDPR makes it clear that you should only hold as much data on people as you need for your business purposes, and dispose of it (safely) when it is no longer required.

This data doesn’t have to be customer information either. It could be data about your staff or suppliers you use in your business. Knowing what you have and why you have it is the first vital step to following the new rules.

If you have a website, a Privacy Policy should show exactly what information you collect about your visitors. However, just because you tell a customer you are collecting their data doesn’t necessarily give you the right to do so.

GDPR Compliance

Data and consent

Any data that you collect must be done on a lawful basis according to GDPR. There are six justifications for processing a person’s data, including ‘legitimate interest’, ‘contract’ and ‘public task’, but the most likely to apply to small businesses is ‘consent’. That means that for any identifiable information you would like to collect, such as names and addresses, you need to follow the consent protocols.

You are required to obtain consent if you intend to collect, store and process this information. This must be on an opt-in basis and cannot be assumed. You should make it clear to your customers exactly what information you are storing about them, and what contact they can expect to receive from you.

If the information you have previously collected didn’t follow the GDPR guidelines, you cannot continue with this assumption of consent after the deadline. For example, if you previously operated on an ‘opt-out’ basis, you must obtain specific and unambiguous consent by May 25th if you wish to process the data after the deadline.

However, if any consent that you have collected previously follows GDPR guidelines, you may still process that persons’ data, so long as you have documented proof that they have given this permission.

The right to be forgotten

When a person gives you consent, it isn’t necessarily final. At any time, that person can request to see exactly what information you hold about them under the GDPR. You, as a business, have 30 days to present this information to them, to avoid breaking the new guidelines.

If that person requests that you remove that information from your database, you must comply.

Once a person has opted-in to hearing from you, it must be just as easy for them to reverse that decision. If you have a website, having an ‘Unsubscribe’ or ‘Preference Centre’ where customers can manage what information you hold and what communications they will receive is a good idea.

GDPR Person at Laptop

Other things to remember

As alluded to already, documenting the fact that you are complying with GDPR is key. While data breaches may be unlikely, especially for small businesses, showing that you have precautions and processes in place should they happen, is important.

Be sure that you are taking all the precautions to prevent such breaches and have a plan in place on how you will deal with the situation, should it occur.

If you are subject to a breach, you must notify the ICO within 72 hours, sooner if possible.

Another key thing to remember is that it’s important to train any staff you may have about the GDPR. Having a procedure in place that documents how staff have been made aware of the new rules will show your business in a good light to the FCO.

Remember that if a member of staff breaks one of the regulations, it is the business as a whole, not the individual that will be punished by the FCO. Therefore, ensuring all staff are well trained in data protection is vital.

How can it benefit you?

The new rules may seem like a lot of effort is required on your part. However, follow them properly and it could even be to your business’s benefit.

By being open and honest with your customers about what information you are holding about them, trust can be built. And with that added trust comes the greater likelihood that they will use your services.

If you carry out any email marketing, a refresh of your database could also be beneficial. When you ask your contacts to opt-in once again, you are left with only those engaged customers that want to be contacted. Therefore, you are not wasting time, money and effort sending emails to those people who have no interest in hearing from your company.

Finally, by following the rules you remove any risk of your company falling foul to the ICO and the increased fines. Under GDPR the potential financial punishment has increased to €20m, so staying on the regulator’s good side is very important.

You can read the full GDPR documents here.