Data Protection for SMEs

a beginners guide to data protection by Joe Kirk

Knowing the fundamentals of data protection – a guide for small businesses and start-ups

When it comes to data protection a lot of people, myself included not too long ago, do not know or understand what data protection is and it is about time we changed that.

You may be asking yourself ‘Why do I need to comply with data protection law?’ The answer is simple, good practice brings a great reputation.

If data falls into the wrong hands, it can have catastrophic consequences. Identity theft, discrimination and even physical harm are all byproducts of misused data.

Another question you may be pondering while you read this is ‘Why do I need to worry about this as a new/ small business?

It’s a fair question, however, I will tell you that if you start complying now and have good practices in place, then further down the line when you grow to the size of the business you desire to be nothing will need to be implemented. Trying to change the behaviour, culture and habits of a business and its people is not an easy task and a costly one at that. All of which can be avoided if you act now!

Look, this is by no means a fully comprehensive guide to data protection, however, I wanted to strip everything back and help start you off on this journey of compliance.

This is a guide of the basics and the ‘must knows’ for what still is, such a grey area for many people and organisations.

What you can expect:
• Explanation of what data protection actually is
• The Acronyms of Data Protection
• The Data Protection Principles
• Are you caught by the legislation?
• How you can become compliant
• Next Steps


What is data protection?

Well, Data is any information that is related to an identified or identifiable person.

Protection is the process of collecting, storing, and deleting (when necessary) the data that can be used to identify someone.

That is what we are all about here at Data Protection People, making Data Protection easy. Easy to do and easy to understand.


The Acronyms of Data Protection

UK GDPR (UK General Data Protection Regulations)

The UK GDPR is the law which provides rights, obligations and key principles of personal data processing, with an exemption of law enforcement and intelligence agencies.

There are instances in which an organisation or individual will have to comply with both the UK and EU GDPR. This is when they operate in both the UK and the EU.

DPA 18 (Data Protection Act 2018)

The DPA 2018 replaced the Data Protection Act 1998 on the 25th of May 2018. It sits alongside and works in tandem with the UK GDPR.

The regulations are based on EU GDPR however with a slight twist, this allows for them to be more effective within the UK.

Links to both pieces of legislation can be found at the bottom of this article.

CIO (Chief Information Officer)

The CIO is the title of the organisation’s executive that is responsible for the management, implementation and usability of information and computer technologies.

CISO (Chief Information Security Officer)

The Chief Information Security Officer is the executive responsible for an organisation’s information and data security.

DDQ (Due Diligence Questionnaire)

If a controller appoints a data processor there is a process in place, they should undertake to ensure that the processor has appropriate measures in place to protect personal data, this is known as due diligence. A common way of completing this process is via a questionnaire. Upon completion, the processor must provide any support documentation. Once reviewed, the controller will have a clear view of the risks should the controller appoint them.

DP (Data Protection)

Often Data Protection is shortened to the abbreviation DP.

DSA (Data Sharing Agreement) DPA (Data Processing Agreement).

DSAs and DPAs are very similar. They are both agreements that are set in place to ensure personal data is managed correctly. A DSA is a processing agreement between a controller and a processor, the terms of which are specified under Article 28 of the UK GDPR, all of which must be included for the agreement to be compliant. A DPA is an agreement between two controllers, there are no specified terms, the Regulation simply requires appropriate measures to be implemented between the parties.

DSARs (Data Subject Access Requests)

Data Subject Access requests, Subjects access requests, information requests, SARs, DSARs, whatever you want to call them, they mean the same thing. By law, every data subject (someone who has had their data collected) has the right to access their data. The process in which someone can do this is through a SAR, you can either fill out a form off their website or contact the DPO directly for your information.

The organisation or sole trader that is responsible for handing over the information, by law has 30 days to do so at which the person has the right to complain to the ICO once the date is passed.

There are exemptions to which the controller can reject the right to access the data, more information on this can be found in schedule II of the data protection act.

DPIA (Data Protection Impact Assessment)

DPIAs are what they say they are. They are a method of reviewing the risks associated with certain data processing activities. It is a legal requirement to carry out a DPIA in several circumstances, details which can be found in article 36 of the UK GDPR.

Undertaking a DPIA requires objectivity, a detachment from the data processing and often requires a dogmatic persistence to get to the bottom of things both with colleagues and external suppliers/ partners.

The person conducting the DPIA must be impartial with nothing to gain or lose in the outcome. They can have no vested interest, no pre-conceived ideas and they must be able to rise above internal or intra-company politics.

DPO (Data Protection Officer)

A Data Protection Officer or DPO is the person within an organisation who is responsible for monitoring internal compliance.

Not every organisation has to appoint a DPO under the UK GDPR.

Under the UK GDPR, you must appoint a DPO if:
• Your core activities require large scale, regular and systematic monitoring of individuals (for example, online behaviour tracking); or
• Your core activities consist of large-scale processing of special categories of data or data relating to criminal convictions and offences.

The above information was taken from the ICO’s website as of 04/03/2022

Organisations can, if they wish, appoint a DPO. Naming a DPO allows for an organisation to have an expert in the field of data protection that will help monitor compliance.

DPOs also act as a point of contact for data subjects and the ICO.

ICO (Information Commissioner Officer)

The information commissioner’s office or the ICO is an independent body set up to uphold information rights. They report to the UK Government but are in no way affiliated.

The ICO is made up of 500 staff who are headed by the Information Commissioner.

The commissioner and his team are those responsible for enforcing the UK GDPR. They have numerous responsibilities; these include and are not limited to:
• Providing advice to the public about their information rights.
• To oblige organisations’ best practices when it comes to information rights
• To review and change the legislation where necessary
• Deal with any complaint that comes in
• Impose sanctions when organisations or individuals do not comply with the law

Note: The UK GDPR and DPA 2018 set a maximum fine of £17.5 million or 4% of annual global turnover – whichever is greater.

IDTA (International Data Transfer Agreements)

The IDTA is the recently approved UK version of standard contractual clauses. It acts as a safeguard mechanism under Article 44 of the UK GDPR for international transfers of personal data.

IDTA is used when a country is deemed to have inadequate data protection legislation, the agreement is used as an alternative to ensure data is transferred safely.

IG (Information Governance)

Information governance, better known in the DP world as IG is the overall strategy for information within an organisation. In a nutshell, it balances the risks that information brings along with the value that it often provides.

ISO (International Organisation Standardisation)

ISO and more specifically in the world of information security ISO 27001 is an international standard, it is a member of the ISO series. Achieving accreditation demonstrates adequate assurance with a company’s information security management system (ISMS). It is not a legal requirement however it is becoming increasingly more sought after as many organisations are being highly scrutinised with their security posture.

Accreditation includes a 2-satge audit, including an audit by one of many UKAS (United Kingdom Accreditation Service) approved accrediting bodies. Organisations must uphold the accreditation via annual surveillance audits. Every 3 years you must recertify the standard.

PCI-DSS (Payment Card Industry – Data Security Standard)

The history of PCI-DSS started in 2004 due to an increase in payment fraud. The credit card industry leaders came together to form a council that constructed and implemented a set of standards, currently we are on version 4. The council consists of American Express, Discover Financial Services, JCB International, Mastercard and Visa.

In layman’s terms, it is a contractual agreement between merchant and consumer. Although it is not law it if enforced by the council with compliance being detailed within 12 key areas, noncompliance can lead to financial fines. Every merchant is split in to 4 categories (see below) based on transaction volume, with larger merchants being considered level 1 and smaller merchants’ level 4. The ‘merchant level’ determines the level of compliance obligations.

The 4 merchant levels:
• Level 1 – 6,000,000 card transactions annually
• Level 2 – 1,000,000 to 6,000,000 card transactions annually
• Level 3 – 20,000 to 1,000,000 card transactions annually
• Level 4 – Fewer than 20,000 card transactions annually
More information on PCI-DSS can be found at the bottom of the article.

PECR (Privacy, Electronic and Communication Regulations 2003)

PECR are a set of regulations that along side the DPA and the UK GDPR. They provide rights in relation to electronic communications, examples of which can be found below.
• Marketing by electronic means
• Communication networks (Calls/ Emails etc.)
• Cookies
• Security of public electronic communications services

PECR applies to organisations that provide public

The above was taken from the ICO’s website. A link to the page can be found at the bottom of this article.

RoPA (Record of Processing Activities)

An organisation must have a record (also known as a register) of processing activities. The responsibility of which sits with the DPO; however, it is good practice for the RoPA to be completed departmentally by data-protection champions because it is impossible for a DPO to have a good understanding of what data processing activities occur in various departments of an organisation. They should be updated when any changes in data processing come about, this will be reflected within the RoPA.

Having a RoPA is a legal requirement, there are a set of obligations to which an organisation must have one. These can be found in Article 30 of the UK GDPR, there are exemptions, paragraph 5, Article 30 defines this also.

SCCs (Standard Contractual Clauses)

SCCs are a safeguarding measure under Article 44 of the EU GDPR for transferring personal data, it is used when a country has not been deemed to have an adequate level of data protection legislation. SCCs are an appropriate alternative mechanism to implement between the parties to detail how they will protect the personal data, and the rights and freedoms of data subjects.

SIRO (Senior Information Risk Officer)

A SIRO is a professional who has responsibility for implementing and managing information risks within the organisation. The role is mandatory for public sector organisations and organisations that are contracted to deliver services under the NHS standard contract


The Data Protection Principles

Within the GDPR there are a set of 7 (6 plus 1) data protection principles, they can be found in Chapter 2, Article 5 of the UK GDPR. The principles have an influence on the other rules and obligations within the legislation, therefore compliance with these underlying principles is the first step in good data practice.

A brief overview of the principles can be found below:

• Lawfulness, fairness and transparency.
All personal data should be processed lawfully, fairly and in a transparent manner, the processing of personal data must be clearly defined and documented.

• Purpose Limitation
Personal data should only be stored for as long as necessary. Processes should be in place to cleanse systems and databases, they should be regularly reviewed. Retention policies must be clearly defined and adhered to.

• Data Minimisation
The collection and storage of personal data should be limited to what is relevant and necessary for the purpose. DPIAs should be carried out when implementing new systems or processes.

• Accuracy
Data should be accurate and up to date. Organisations must have processes in place to ensure that systems and documents are audited and checked regularly. Out of date data must not be shared to anyone.

• Storage Limitation
Data should be kept in a form which permits the identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. There are instances in which data may be stored for longer periods, these include public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to the implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject

• Integrity and Confidentiality
Data shall be processed in a manner that ensures appropriate security of said data. This includes protection against unauthorised or unlawful processing against accidental loss, destruction or damage, using appropriate technical or organisational measures.

• Accountability
The controller shall be responsible and able to demonstrate compliance with all of the above.
The above were defined using Article 5 of the UK GDPR here.


Are you caught by the legislation?

It is important to establish whether you or your organisation need to be registered as a data controller.

You can check whether you need to register by completing the ‘Registration self-assessment by going on to the ICO website or by clicking here.

There is a fee that you need to pay and this in turn funds the ICO. The fee is not fixed, it will differ depending on numerous factors. Again, you can check how much this would cost here.

Should you need to register, this means that you and/or your organisation control data and you must adhere to the relevant law.

There are 2 laws that outline the fundamentals in which data should be collected, processed, stored and controlled but we will get into that.


What can you do to become compliant?

There are numerous ways in which you and/or your organisation can comply with the law.

Policies and procedures

The first thing you need is to familiarise yourself with article 30 of the UK GDPR. ‘Records of processing activities’ detail the type of data that an organisation should store and process. In turn, this will inform the relevant policies and procedures that you need to publish.

Examples of relevant documentation include and are not limited to privacy policies and data protection policies.

These must be made available to the public because it allows the data subject to understand the processes in which their data is processed.

Complete a gap analysis

A gap analysis is an audit. The process is a review of documentation and on-site assessments that is completed to help identify areas of non-compliance in relation to privacy and information rights law.

The reviews should involve those in your organisation who is responsible for information governance, IT, HR and marketing. You should look to engage with operational teams to test their understanding of the organisation’s policies and procedures.

Create an Action Plan

Following on from the Gap Analysis you will have a set of results and findings. The way in which you present these is completely up to you, however, I suggest a RAG report as this will clearly demonstrate which areas are Red, Amber and Green

For clarification:
Red – Urgent action needed
Amber – Action needed
Green – No action needed.

Using this report, an action plan can be drafted that will allow you to prioritise which areas need fixing first.

Maintain what you have in place.

Once you have amended the areas of risk you must maintain the standard that you are now at. Data Protection law is constantly changing and adapting and for that reason, the infrastructure that is in place must be continuously monitored, as stated previously, this is where the DPO comes into play.


Next Steps

If you are a brand-new business, then I suggest you implement the things necessary to ensure you are compliant. If you are a business that has been established for a few years or more then the ‘What can you do to become compliant’ may be a good place to start.

I understand this all may seem a little overwhelming and you are right, this can’t be done overnight. However, there are a few options for you to consider…

You can start by implementing changes within your organisation, use this guide and other relevant resources found on the ICO website to begin your journey of compliance.

Another option, if time and resources are interfering then you can turn to a consultancy (Hint, hint) for help. There are experts in the field of data protection who will guide you through the process of good practice.


Legislation Links

Data Protection Act 2018:

UK General Data Protection Regulations:

What is PECR:

The Resource Library

Other Resources

Resource Centre

News & views

Ad-Hoc Data Sharing Requests

Resource Centre

News & views

An Insight Into Auditing

Resource Centre

News & views

Understanding Data Quality