This article was first published here in December 2021.
Understanding the impact of UK GDPR and the importance of being compliant might seem like a big task as a small business. However, whether you’re new to business or just need a refresher, being aware of the procedures you need in place when handling individuals’ data is important if you want to avoid any fines or reputational damage.
You may not think that UK GDPR affects all businesses, but the truth is that most will more than likely handle some sort of personal data. Experts from FSB Legal Protection Scheme walk you through what you need to consider when it comes to UK GDPR compliance for small businesses.
Does GDPR still apply?
The Data Protection Act 1998 has been replaced by the Data Protection Act 2018, which incorporates the General Data Protection Regulation (GDPR).
GDPR is an EU regulation that no longer applies to the UK, however, the provisions of GDPR have been incorporated into UK law as the UK GDPR. The regulation applies to any business that processes personal data. If you trade in the EEA, you will also need to follow EU GDPR guidance.
How to comply with UK GDPR
UK GDPR is a vital aspect of your business’ operation, so it’s something you should keep at the forefront of your mind each day.
Already an established business?
There are things you will have changed or implemented into your business to ensure full compliance, and these are worth checking regularly. This will help to protect your business as much as possible from any liability. For example:
- Have you checked and amended any data entry forms that you currently use?
- When you collect data, on your website for example, are you clear and transparent that you are doing so, explaining what you are collecting, why, and for what purposes?
- Do you demonstrate how the data you’re collecting is necessary for your purposes?
- Do you need to add extra security measures, such as a stronger firewall, to ensure your data is as secure as possible?
Starting a new business?
If you’re looking to start your own business, it would be helpful to prepare for UK GDPR early in your business planning stage. This way you can hit the ground running without having to worry about any potential data compliance issues. Planning what you need to do in advance will help make it easier to implement your data protection methods and policies.
What are the eight rights for individuals?
UK GDPR includes 8 rights that individuals have over their data. It is:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision-making and profiling
The Information Commissioner’s Office guide to individual rights explains in detail how these impact your business and includes a checklist to help you stay compliant.
Does this apply to small businesses?
Yes, small businesses must adhere to the data protection principles, which include the same eight rights that apply to large businesses. This includes the right for consumers to have access to the personal data you hold on them, and the right for them to object to the way you make use of their data in certain circumstances.
As a small business, you’ll generally handle a far smaller volume of data than a large business. Even though the volume may be less, you still need to have the necessary procedures in place to be able to protect individuals’ data and to deal with their requests, as per the requirements of UK GDPR.
Customers have rights to control how you use their data. It might be that you need to review the details in your privacy policy to make it clear that the individual has the right to object to or withdraw their consent to your processing of their data. The collection and usage of data should be transparent and secure.
If you only hold a small amount of personal data on your customers, a simple secure database might be enough to keep the data easily accessible and readable. This should also make it easy to amend if someone requests that you update or delete their information from your records.
Do I need to hire staff to look after UK GDPR in my business?
It’s important that you take the necessary steps to become and remain compliant, or you may face penalties. If you’re a new business, you should be reviewing the roles that everyone will undertake.
Public authorities and businesses that do large-scale monitoring or large-scale processing of certain types of data are required to appoint a designated data protection officer (DPO). This isn’t a requirement for most small businesses.
That said, however, it might still be beneficial to take the principle on board, so that it’s easier to comply with UK GDPR. Hiring a staff member is one option, but it might be more effective if you reshuffle your existing staff roles so that there are one or two staff members who handle most of your business’ data-related obligations. If you do decide to do this, it’s advisable to make sure they are properly trained and are fully aware of the different aspects of UK GDPR. This might give your business an easier time handling data and the UK GDPR regulations going forward.