We talk with small and micro businesses every week. Some are clients and some are just seeking some quick advice. From this we know that the GDPR feels like an unnecessary burden or ‘yet more red tape’. We’re a small business ourselves, and we understand that owners and directors of small businesses have little time and that money can be tight. The truth is that GDPR for small businesses needn’t be a massive burden.
If you’re a data heavy business, such as a medical app start up with access to health records, then the burden will be higher – and so it should. The same is true if you are a ‘data processor’ and do things with personal data on instructions from your customers.
If this sounds like you then you should know that data protection best practice will be critically important to your credibility and winning business and will need time and money.
If you’re a small business whose personal data processing relates mainly to employee data and information about customers and maybe supplier contact details, then you can probably handle this yourself, honestly.
Fines for non-compliance of GDPR for small businesses
You may be wondering why GDPR changed the law so significantly; in truth it didn’t. GDPR was more evolutionary than revolutionary. It feels like a bigger change than it was because most organisations in the UK weren’t compliant with the old law (the Data Protection Act 1998).
This is because the potential penalties seemed much lower (fines up to £500k for example) and also because the Information Commissioner’s Office (ICO) has historically taken a ‘business friendly’ approach to enforcement.
Then GDPR came along and added some new obligations, such as the accountability principle (which forces organisations to be more proactive) and increased the potential level of fines to €20m. This in turn led to press scare stories, headlines about massive fines and commentary from people who didn’t understand what was required.
In reality, small businesses are never likely to get hit with multi-million pound fines and provided you are treating personal data with respect, not taking unnecessary risks with it, are securing it and not doing anything stupid like selling it on or using it to spam people then you’ll be fine.
You can’t go too far wrong if you treat and manage employee and customer personal data the way you would expect your own personal data to be treated. All the same, to comply with GDPR for small businesses there are some specific steps we’d still advise – and you should be able to handle most (if not all) of these yourselves using resources available on the ICO website.
Compliance with GDPR for small businesses
- Know and document the personal data you collect and process. If you don’t know what you collect, why and what you do with it then you can’t manage the risks. This is sometimes called ‘data mapping’. That sounds complex but there’s easy to follow guidance and good templates available here.
- Formalise the information in your data map to create a ‘record of processing activities’ (RoPA) as required by Article 30 of the GDPR. If you have fewer than 250 employees, you may not need to create a RoPA but we’d suggest you do and we have a blog specifically on RoPA’s here. The data map should give you what you need, and it shows you are taking accountability. The ICO has created a template you can use available here.
- Create privacy notices. These are statements that set out what personal data you collect, the purposes for which you collect it, details of who you share it with and more. For the average small business, we’d expect you’ll need a privacy notice for employees (and recruitment candidates) and for your customers at the very least. Your customer privacy notice is typically provided on your website. The ICO provides helpful guidance on what to include here and also provides a template to help get you started, available here. We also have a blog on how to write a privacy notice here.
- Make your employees aware of what is expected of them and their responsibilities. Introduce a data protection policy and issue it to employees. People often think that policies need to be long, boring documents. In reality, you can make it a short document setting out what’s required including ‘dos and don’ts’. You can include information security in the same document. Carry out some awareness training as well – good old PowerPoint is sufficient to start with – it doesn’t need to be an expensive online training package.
- Store personal data securely and restrict access. Lock paper records in filing cabinets, restrict access to data stored online by granting access to only those employees who need access for the purpose of their job. Ensure personal data is not shared internally or externally except when necessary and then think about how to secure it. Password protect documents containing personal data. Use a unique password and save it in a password manager if you can’t remember it.
- Think about how to respond to requests from data subjects to exercise their rights. The chances are you may never receive a subject access request but be prepared in case you do. Think about how you’ll collect the information and respond.
- Only keep personal data for as long as you need it. All businesses tend to keep information for longer than they need. Don’t be a martyr and think you need to delete everything immediately, but when it’s no longer needed or justified, then you should delete it. If you don’t have personal data, you can’t lose it and need to access it when responding to a subject access request.
- Register with the ICO and pay the data protection fee. It’ll probably only cost you £40 and it’s a legal requirement if you process personal data as a controller (which you will if you have employees or customers). Some types of organisation are exempt. You can learn more here.
What about other obligations?
If you think you might need a DPO or need to carry out a DPIA, then you’re likely the type of business that needs to invest more time and resources in data protection and this blog isn’t for you. If you’re not sure if this applies to you, you can learn more about DPOs here and DPIAs here.
The same applies to international transfers. If you think you share personal data outside the EEA (which is made up of the member states of the EU plus Norway, Iceland and Liechtenstein) then you’ll need to review these and ensure you meet the requirements of the law. You can learn more here.
If you need help or some quick pointers on GDPR for small businesses, then get in touch. We can steer you in the right direction or, if you need help, we can assist.