GDPR simplified: An easy guide to data protection for small businesses

David Woodfield
By David Woodfield, Chief Growth Officer

Most businesses —  large or small — will need to comply with the GDPR. Since coming into force in May 2018, it’s been instrumental in changing the way businesses interact with their customers day to day.

Designed to strengthen the rights of EU citizens, GDPR aims to strengthen and unify data protection and give users more control over their personal data.

In this guide, we break down how GDPR is an important part of protecting your business.

What is GDPR?

The General Data Protection Regulation, or GDPR for short, is a data protection scheme that applies to any business that has been established in the EU. The regulations also apply to companies across the world that target or collect data relating to EU citizens by offering goods or services. 

Most UK businesses and organisations whose activities involve regular and systematic monitoring of data will have to employ a Data Protection Officer (DPO). Their job is to make sure that the company complies with any obligations that have been imposed under GDPR. 

What are the 8 principles of GDPR?

Designed to be the foundation that every organisation should follow, there are eight principles of data protection practices. To ensure that companies are following GDPR compliance, these eight rules should be followed closely.

1. Lawfulness, fairness and transparency

As an organisation, you must have legitimate grounds for collecting data. It mustn’t be used in a way that would negatively impact someone or be used in a way that wouldn’t typically be expected such as collecting health data if you run a cafe. 

Businesses should also ensure that users can clearly understand what they’re signing up to and how their data will be used when handing over their personal information. This principle states that organisations must use language that is clear, accurate and easy for people to understand.

2. Purpose limitation

You must be open about the reasons for obtaining personal data and its planned uses. Any data that is collected should only be used for its original intended purpose and it shouldn’t be used to market other companies to their customers. 

Genetic and biometric information, such as height, weight, or health conditions, are considered sensitive data. Businesses can only request and obtain this information if it’s required for a relevant purpose. 

Customer data also shouldn’t be passed onto any third parties unless the customer has given their consent. Prior to GDPR, you could put ‘Send me marketing messages’ that were ticked by default. Now, the user has to ‘opt-in’ instead.

3. Data minimisation

Many organisations hold enormous amounts of data for various reasons and purposes, whether it’s marketing, monitoring, or research. The Data Minimisation principle ensures that all data held is relevant, adequate and limited to its intended purpose.

Organisations need to evaluate the relevance of any data that is stored and any data held has to be limited to only what is required. To decide whether or not data is relevant, you may need to consider:

  • The content of the data — is it about an individual or their activities?
  • The purpose you will process the data for.
  • Any effect or results on the individual from processing the data.

Any irrelevant information must then be securely and safely deleted.

4. Accurate personal data

For any data that is being held, reasonable steps must be taken to keep the information accurate and up to date. If any information is inaccurate, this must be updated as soon as possible.

Organisations shouldn’t wait for customers to inform or update their information. Instead, they should be active in ensuring that all information they hold on individuals is up to date and relevant. 

5. Retaining personal data 

Limiting the time in which data can be held makes it easier to manage and provide personal information if customers or individuals request it. 

To comply with this principle, organisations will have to ensure that the movement, storage and retention of personal data is under strict control. 

6. Individuals rights

GDPR  has expanded the rights of individuals to have access to their personal data. This includes how data can be obtained from organisations, what data is stored, and how it’s used. 

A new change that was implemented with GDPR was the “right to be forgotten”. It means that organisations have to remove content from their databases if an individual requests it.  

7. Information security

To ensure that personal information is kept safe and secure, businesses should take proper security precautions. They’re required to put in place adequate protection measures like anti-malware software and data encryption. 

Businesses are also advised to provide training on cybersecurity, data protection and the encryption process so staff can be fully up to date with procedures and know the correct measures to take. 

8. International transfer of data outside of the EEA

Information should not be shared outside of the European Economic Area (EEA) to any country that does not share the same level of data protection. Any data that is transferred outside of the EEA from an organisation — like to the US or China —  must receive explicit consent from their customers for their personal information to be transferred. 

The GDPR can still hold a company liable, even after any data has been transferred to another company. 

What data can I legally collect?

By law, you can collect, store and process personal data. The type and amount of data collected will depend heavily on the reason for processing it, its intended use and the organisation that you run. 

Organisations can legally collect data on:

  • Biographical information — This includes current living situations, date of birth, phone numbers, email addresses and National Insurance numbers. 
  • Physical appearance and behaviour — Including eye colour, weight, hair colour and character traits.
  • Workplace data and information about education — Information on your salary, tax information, job title and sector and student number or repayments. 
  • Private and subjective data — Religion, political opinions and geo-tracking data.
  • Health, sickness and genetics — Medical history, hospital stay, information about sick leave and genetic data.
  • Websites, cookies & web beacons — Many websites use cookies and web beacons that pull in data from multiple sources. These allow organisations to track a visitor's browsing history even after they’ve left the page.
  • Email, apps & third party trackers — Apps embedded with third-party trackers utilise data for targeted advertising, location tracking and even behavioural analytics. Email tracking allows companies to learn when a recipient has opened an email, at what time, and on what device. 
  • Data and AI tools - If AI is used with data, it should only process the minimum personal data needed for each purpose - including data quantity, processing extent, storage duration, and accessibility. This means you need to limit what you do with AI so it doesn't breach GDPR.

What data isn’t allowed under GDPR?

Under the GDPR, there are several exemptions of what data can’t be collected. This includes:

  • Journalism, Research and Archiving — This applies to records that contain personal information about identifiable living people.
  • Health, Social work & Education — This exception can apply if you look after someone under the age of 18, as well as restricting health professionals from disclosing health data. 
  • Crime and Taxation — Meaning criminal history and offences as well as the prevention and detection of crime.
  • Finance, Management and Negotiations — Applies if you process personal data in connection with a corporate finance service.
  • Regulation, Parliament and the Judiciary — For the purpose of processing personal data in the function of discharging the Legal Services Board.
  • References and Exams — This can apply to personal data in exam scripts e.g speaking tests for language exams, as well as exam results.
  • Subject Access Requests — If you’re processing data to safeguard national security including international co-operation, protection against threats and targets.

What must I do with data after I’ve collected it?

When you’ve collected personal data, it’s key that you store it correctly. It’s recommended that all data be pseudonymised or end-to-end encrypted — especially if this data is highly sensitive. 

Services like Hashicorp and Thales offer data encryption. 

What happens if I breach GDPR regulations?

The UK GDPR states that organisations must report personal data breaches within 72 hours of becoming aware of the breach. This must be reported to the relevant supervisory authority if it’s likely to result in any high-risk data being leaked. 

Not all GDPR infringements lead to data protection fines. The Information Commissioner’s Office (ICO) can instead:

  • Issuing warnings and reprimands
  • Impose a temporary or permanent ban on data processing for the organisation
  • Suspending any data transfer to third countries
  • Ordering the restriction, rectification or erasure of data

If you do breach the GDPR regulations, there is a maximum fine set to £17.5m or 4% of annual global turnover for any infringements. 

You can read about how you can protect your business against legal costs in the UK with our guide to legal expense insurance. Find out how to protect your company if you need to pay compensation to clients with our professional indemnity insurance guide

How to check your business is GDPR compliant

To check if your business is following the GDPR compliance guidelines, we’ve compiled a handy GDPR checklist so you can easily tick off each step.

  • Identify your lead authority — If you do operate in more than one EU country, you’ll have to appoint someone to oversee your compliance.
  • Communicate with your team — Train your staff in GDPR compliance. Share the key points with your staff and colleagues.
  • Conduct a data audit — Assess the categories of data you hold, where it comes from and the lawful basis for its processing. Use a data map, which is the process of discovering and classifying data, to follow and identify any risks in your data proceedings. 
  • Undertake a risk assessment — Establish a risk assessment plan that clearly identifies, analyses and determines ways to control any risks. 
  • Check storage security — Ensure that all the data you keep is password-protected and end-to-end encrypted. Review who has access to this data; ensure that they are aware and up to date with data protection.
  • Review your privacy policy — You must review your privacy policy for anyone seeking information about your reason for collecting their data. This must be clear, concise and easily outlined. 
  • Plan for data breaches — If you do suffer a data breach, it’s important to have planned ahead. Have a system in place and a person who is responsible for dealing with data breaches. 

What influence does AI have on GDPR?

AI technology is influencing every sector and this is no exception when it comes to compliance. Some companies are even building their own AI models to manage data. But because many of these systems use so many (sensitive) customer details they throw up a lot of privacy concerns.

Imagine if AI was able to identify everything about you based on the information from your Amazon account, or predict your exact behaviour. This doesn't fall in line with GDPR guidelines and could cause havoc if data like this were leaked as a result of a data breach. 

The tensions between AI's capabilities to improve processes and analysis conflict with the current guidance of GDPR limitations, specifically - consent, identification and volume of data processing.

One thing is for certain if you're using AI within your business - GDPR still applies, and it's your responsibility to clue up on the latest government guidance and keep your data safe.

Are small companies exempt from GDPR?

No. There is no GDPR exemption for small businesses. Small companies still need to comply with GDPR even if they have less than 250 staff members. To find out more about what makes a business an SME, check out our guide to what makes a small business.

Do small businesses need to pay data protection?

Yes, all businesses that process any personal information should pay the data protection fee each year. The fee is billed to your company no matter the size of your business but not everyone has to pay the same amount. This film needs to be paid to the Information Commissioner's Office (ICO). You can find out more at ICO.org.uk

Data protection for small businesses

While understanding GDPR and its compliances can sometimes feel overwhelming, it’s important that you put the proper guidelines and measures in place should you ever suffer from a data breach. 

Following our checklist, knowing what data can legally be collected, which data can’t be collected and how to properly store any data is important for small businesses.

Get in touch with the Bionic team to discuss your needs or get more information on business insurance today.