GDPR for Small Business: Data Protection Explained

Confused about the UK GDPR? Read our quick guide to GDPR compliance for small businesses.

Woman on a laptop

In March, our Data Protection Made Easy podcast hosts, Jasmine Harrison, Joe Kirk and Phil Brining, discussed the challenges small and large businesses face when complying with GDPR. 

Data protection is considered a significant burden for small businesses. Resource constraints, compliance hurdles and a general lack of awareness make GDPR compliance seem like a distant goal.  

But it doesn’t have to be. 

This guide will help you learn about the UK GDPR for small business,  your obligations as a small business and what you must do to comply. 

What Is GDPR? 

The General Data Protection Regulation (GDPR) is a law safeguarding EU citizens’ rights around how organisations collect and store their personal data. It came into law in May 2018 but no longer applies to UK citizens after Brexit in 2020.

Instead, the UK have the Data Protection Act (DPA) 2018, which follows the same GDPR requirements with some slight modifications. The UK GDPR applies to UK organisations and those planning to sell to individuals in the UK. 

Does GDPR Apply to Small Businesses?

Regulations, like fire safety, health and safety and tax, apply to every new and existing business. But what about the UK GDPR?

This regulation impacts any business that handles, processes or stores personal data. This can include information about your employees, customers or third parties. 

As a UK business, you must pay a data protection fee to the Information Commissioner’s Office (ICO) for processing personal data. Charities and small and medium-sized businesses pay £40-£60 a year. The yearly fee will increase to £2,900 for companies with a higher turnover and a larger team of employees. 

By paying this fee, your business will appear on ICO’s register, showing customers that your business prioritises data security. 

Personal Data & Sensitive Personal Data 

The UK GDPR defines ‘personal data’ as:

“‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.

Article 4(1)

Simply put, personal data refers to information about an individual (or ‘data subject’). What data this includes, however, isn’t exactly clear. The context of how you’ve collected information also matters when deciding whether it’s classed as personal data. 

As a small business, you would’ve already collected several pieces of information on a single data subject. When put together, all this data can be used to identify the person. Personal data can include name, surname, home or email address, location data and an IP address.

Sensitive personal data, or special category data, includes information about an individual’s race, ethnicity, political opinions, religious beliefs or health history. Explore the full list of sensitive data in ICO’s complete guide. If you’re collecting this data, you need a clear reason for doing so. 

What Are Your Legal Obligations?

If your business processes and stores customers’ personal data and is located in the UK, you must meet the requirements of the UK GDPR. 

If you plan to sell to customers in the EU, you must comply with the EU GDPR. This also applies if you are based in the EU and selling in the region. 

Non-compliance can risk fines of up to £17.5 million or 4% of your global turnover (whichever is higher) in the UK. 

Getting Started with GDPR for small businesses

Here are our top tips for complying with UK GDPR for small businesses:

  1. Start data mapping – Identify and document all the personal data you collect in your organisation. Define the purpose and lawful process for handling and processing each category. Data mapping is a key part of a successful GDPR audit
  2. Conduct a Data Protection Impact Assessment (DPIA) – A DPIA is a risk assessment required under the UK GDPR for specific types of processing. These assessments will identify and prevent potential risks to data processing.
  3. Assign a Data Protection Officer (DPO) –  A DPO is your dedicated GDPR expert. They’ll ensure compliance throughout your team and organisation. Our DPO Lite Service is ideal for small businesses needing straightforward support. 
  4. Train Your Employees – Whether you’re a team of one or ten, your employees must have the skills, knowledge and experience to maintain compliance. Our GDPR training covers key areas like ROPAs, SARs and data breach management. 

Is Your Business GDPR Compliant? 

Ensuring GDPR compliance early on will allow your small business to mitigate any data protection and privacy challenges before they become too complex.

Partner with Data Protection People to start your journey to GDPR compliance. Reach out to our team to learn more

Want to learn more? Listen to part 1 on data protection challenges for businesses on Spotify, Apple, Deezer or directly in our Resource Centre