The General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA).
It aims to give control back to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.
The GDPR applies to all organisations, regardless of size, that collect or process the personal data of individuals located in the EU. This means that even small businesses that operate solely within their home country may need to comply with the GDPR if they collect or process the personal data of EU citizens.
Why is GDPR a big risk for small businesses?
The GDPR is a big risk for small businesses because it can impose significant fines for non-compliance. The maximum fine for a GDPR violation is 4% of the organisation's global annual turnover or €20 million, whichever is higher.
This means that even a small business could be fined millions for a GDPR violation.
Data breaches also have other negative consequences for small businesses:
- Damage to reputation
- Loss of customers
- Legal challenges
- Regulatory investigations
5 Key GDPR issues for small businesses
The GDPR can be a complex regulation for small businesses to comply with. However, several resources are available to help businesses understand and implement the GDPR. These resources include the GDPR website, the ICO website, as well as our GDPR blogs and free training aids.
1. Understand what personal data you collect and process
Assess your data processing activities. This will help you identify the personal data you collect and process and the purposes for which you collect and process it.
The GDPR defines personal data as information about an identified or identifiable natural person (a "data subject").
This includes information such as name, address, email address, phone number, and IP address. The GDPR also applies to sensitive personal data, such as information about health, sexual orientation, or religious beliefs.
As a rule of thumb, never collect data unless it is vital to do so.
2. Obtaining consent for the processing of personal data
The GDPR requires businesses to obtain consent from data subjects before collecting or processing their personal data. Consent must be freely given, specific, informed, and unambiguous. This can be done through various means, such as a privacy policy or a consent form.
3. Keeping personal data secure
Businesses must take appropriate technical and organisational measures to keep personal data secure. This includes measures to prevent unauthorised access, use, disclosure, alteration, or destruction of personal data. Staff must use strong passwords, encrypt data, and restrict access to personal data.
4. Providing data subjects with their rights
The GDPR gives data subjects a number of rights, including the right to access their personal data, the right to have their personal data erased, and the right to object to the processing of their personal data. Ensure that you communicate these rights to your data subjects.
Businesses must be able to comply with these rights when requested by a data subject. This includes responding to requests for access, erasure, and objection.
5. Designating a data protection officer (DPO)
Businesses that process large amounts of personal data or carry out certain processing activities are required to designate a data protection officer (DPO).
If you are required to do so, designate a DPO who will be responsible for overseeing your compliance with the GDPR.
Other data security to consider
Many small businesses take card payments. If you do, you must comply with the Payment Card Industry Data Security Standard. The PCI-DSS outlines a number of specific technical and organisational measures that the payment card industry considers applicable whenever such data is being processed.
If your business isn't compliant and there's a data breach, your bank provider could pass these fines onto you or terminate your business bank account entirely, as you are seen as posing a significant risk of leaking customer data.
Need help with SME compliance?
Small business best practice tips for data protection, employment law, money laundering, taxation, and health and safety can be found in our blog.
Our comprehensive roadmaps help you navigate the compliance landscape and are supported by e-learning courses in our Basic Plan.
We also have 100+ free compliance training aids, including assessments, best practice guides, checklists, desk aids, eBooks, games, posters, training presentations and even e-learning modules!
