Arrow back

GDPR for small businesses: The ultimate guide

02 September, 2021

As web technology has evolved, we’ve enjoyed the many benefits of a fully connected world. However, we can’t deny that there have been negatives, many of which relate to the ways our data is handled.

One of the main concerns of using digital tools and websites is data protection, with countless of our most commonly used web services collecting personal information from customers and website visitors.

It’s this reality which encouraged regulators to take a fresh look at data protection regulations. The Data Protection Act 1998 was deemed to be no longer fit for purpose due to how technology solutions had changed, with new data protection risks emerging, including the transfer of data outside of the EU.

To ensure EU residents are adequately protected, an EU law called the GDPR (General Data Protection Regulation) was introduced on 25 May 2018. As a result of Brexit, the new UK DPA 2018 now applies as well as the UK GDPR 2018.

Here’s what you need to know:

The seven principles of the GDPR

To comply with the GDPR, many businesses (including small businesses) have had to make a number of changes to how they handle data. The GDPR rules are based around a set of principles.

The 7 GDPR principles are:

  • Lawfulness, fairness and transparency
  • Purpose limitation
  • Data minimisation
  • Accuracy
  • Storage limitation
  • Integrity and confidentiality (security)
  • Accountability

What are the types of data outlined in the GDPR?

The types of data that are protected under the GDPR are outlined under the regulation.

Personal data includes the following:

  • Name
  • Address
  • Email address
  • ID card number
  • Location data
  • IP address

There is also a category of sensitive information that is classed as personal data, which includes information about:

  • Racial or ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Trade union membership
  • Genetic data
  • Biometric data (where processed to uniquely identify someone)

How does GDPR affect small businesses?

As a business, you must have a valid lawful basis if you process personal data. The six lawful bases are:

  • Consent
  • Contract
  • Legal obligation
  • Vital interests
  • Public task
  • Legitimate interests

For your business to stay compliant with GDPR there are a number of actions that are required. For example, having a stronger firewall to improve security or changing online forms to state how the data is used.

Consumers have the right to access personal data you hold about them, and they also have the right to object to the way you use their data. You need to have processes in place that allow consumers to make choices about their data, for example, allowing them to easily unsubscribe from your mailing list.

Struggling with GDPR jargon? Check out our GDPR jargon buster!

The risk of data breaches

Data breaches can affect businesses of any size, not just large businesses. When a business is found to not have the appropriate data protection measures in place and they have a data breach, they are liable to heavy fines. The maximum fine under the UK GDPR is £17.5 million or 4% of the organisation’s annual global turnover, whichever is greater.

It's more than an idle threat, too. Just ask Google, who found themselves slapped with a record fine in 2019.

Small businesses are often targeted by hackers, as there is a chance that their security measures are weaker, due to having a smaller budget than the bigger companies. However, the cost of a breach can have huge financial implications as well as causing massive reputational damage, so small businesses should be investing in their data security processes.

How businesses can protect themselves

Hiring a GDPR consultant to come and assess the business processes is a good way of getting expert advice but it is also important that employees have a strong knowledge of GDPR and the requirements for compliance.

Bob’s Business provides an extensive package of online training including GDPR compliance, from basics through to more in-depth modules on subjects such as Consent and other key aspects of complying with GDPR.

Take a look at our GDPR training that can quickly get your workforce up to speed with the information that they need to be aware of to stay compliant.

Back to resources

Ready to build your cybersecurity culture?

Whether you’re looking for complete culture change, phishing simulations or compliance training, we have solutions that are tailor-made to fit for your organisation.

Girl with laptop
Boy with laptop
man and woman with laptops
Global Cyber Alliance