GDPR for small businesses
It’s important to know about GDPR as a small business, and make sure any data you hold is compliant. This guide will help you understand GDPR and what it means for your business.
What is GDPR?
The European General Data Protection Regulation (GDPR) gives people more control of their personal data. GDPR applies to any EU business regardless of size, and any company outside of the EU that processes certain data of EU citizens.
People now have more rights on how businesses use their data. Here are some examples:
- Individuals need to know how you will use their personal data, keep it and who you will share it with
- The ‘right to be forgotten’ if they don’t want you to use their personal data anymore. This applies in specific circumstances, like if they are no longer your customer
- They can access their data within a month of requesting it from you
- They have the right to stop their data being used for direct marketing
These apply to anyone you hold data on including employees, customers and suppliers of your business.
Individuals need to give clear and explicit consent for you to use their data. This is especially important when you are using data to distribute your marketing.
How does GDPR affect my business?
There are a few steps you need to take to comply with GDPR:
- Get to know which data you have, and how you use it
- Don’t keep personal data for longer than you need it
- Ensure you are only marketing to people who have given explicit consent (pre-ticked boxes don’t count!)
- Make sure you can access and supply individuals with their data within a one month period
- Look at how secure your data is to try and prevent any breaches
- Make sure everyone in your supply chain (if you have one) is also GDPR compliant
- If you have any employees, train them in GDPR regulations
There are some hefty fines if you don’t comply with GDPR. You can be fined up to €20 million, or 4% of your annual turnover, whichever is higher.
What if there’s a data breach?
Any serious breaches that affect the rights of data subjects need to be reported to the ICO in the UK within 24-74 hours. You would need to state what caused the breach, how it has been stopped, and the next steps your business will take.
Do I need a Data Protection Officer?
You should check if you need a Data Protection Officer (DPO). Usually small businesses of won’t need one unless you regularly have a large amount of individuals data, or process ‘special categories data’
Special categories data includes data on racial origin, religious beliefs, biometric data and political opinions.
What should I do next?
Although GDPR can seem like a lot to do, it’s beneficial for both your business and your customers to comply. Start by going through the steps above so you can get to know your data, and put any new processes you need into action.
