GDPR for small business

GDPR for small business – what should you be doing?

Julianne Green advises about GDPR for small businesses

Hi! I’m Julianne, following 27 years in the Banking industry, I set up my consultancy business in 2018, helping businesses with their compliance. My specialist subject is Data Protection (GDPR). To date I have helped over 40 business of varying sizes, from across a range of sectors become GDPR compliant. I hope you enjoy my guest blog for Bramley Business Solutions.

Julianne Green, JXG Management Solutions

What is the relevance of GDPR for small business?

GDPR compliance is a requirement of all businesses, whatever size or sector you might be in. Even Sole Traders need to make sure they comply. I often liken it to an insurance policy, it’s one of those things that’s a pain to sort out but if you haven’t got it in place and something goes wrong, it could be a very costly mistake!

GDPR is all about accountability, evidence and processes, there is a lot of thinking ‘what if’, much like the insurance scenario.

Does every business really need to be GDPR compliant?

Do you have a list of clients and their phone numbers? Thought you might! Then yes you do – every business that holds any form of data from client lists in an excel document or notebook through to fully functioning CRM systems.

What does being GDPR compliant actually involve?

A lot of businesses I talk to think that just having a Privacy Notice is enough, I can assure you it isn’t. If that’s all you’ve done and you haven’t actually done any background work to back up what your Privacy Notice says, then it’s not worth the paper it is written on!

GDPR compliance can be split into 7 sections:

GDPR for small business - image with the title and author
  1. A data audit – this is a document that evidences you know what data you have, why you have it, what you do with it, where is goes and who has access to it. From this you can produce a list of actions which forms part of your evidence of compliance and apply a legal basis for your Privacy Notice.
  2. 3rd party due diligence – this is knowing who you share your data with, what they do with it and checking to see if they too are GDPR compliant. It is your responsibility to know the journey your clients and employee’s data goes on. For example, if you have an external company do your payroll – are they GDPR compliant? How are you getting the data to them? What are they doing with it once they have it?
  3. Data Register & Mapping Tool – part of GDPR compliance is having a document that acts as a ready reckoner for what systems and applications your data sits on – this is a valuable tool if you ever have someone want to implement their ‘Right to be forgotten’.
  4. Implement GDPR Processes – make sure you and your staff are trained to recognise a Data Breach, a Data Subject Access Request and any of the 6 other individual rights under GDPR. Just as importantly, that you all know what to do and the timeframes you must adhere to.
  5. Data Processing Agreements – make sure you have yourself covered with anyone who processes your data for you (back to the payroll outsourcing again). Get something in writing covering what they can and can’t do with your data.
  6. IT back-up – is your data backed up? Is it secure? How quickly can you access it if something goes wrong? If you were hacked or even worse your data was held to ransom, how up to date would your restore be?
  7. Policies – the very last piece of the jigsaw is your policies – now you’ve done all the work you can actually write a meaningful policy. But it isn’t just a Privacy Notice for your website, you should also have a Data Protection Policy, Employee Privacy Policy and Candidate Privacy notice. You should also review all your existing policies and check to see if any ‘Data Protection’ sections need amending.

What are the chances of being audited by the ICO?

Honestly at the moment, I would say fairly unlikely due to high volumes of Individual Rights complaints the ICO are currently dealing with. However, this should not be an excuse to not do anything! If you have a client complain about you to the ICO, they could well turn up on your doorstep unannounced – this does happen.  The average fine the ICO hands out is c £40,000, so it is worth taking seriously.

Does it still apply after Brexit?

Yes, very much so. GDPR originally sat as an EU law within the UK and has now be adopted as UK law. Nothing will change in the general principals of GDPR, however, if you send, receive or store information in any of the remaining EU countries you will need to make sure you have proper standard contractual clauses and sharing agreements in place for any data transfers between EU and non-EU countries. If you have carried out proper 3rd party due diligence within your GDPR compliance, you should already know if you are going to need this.

If businesses are not sure, what should they do?

To find out more about GDPR for small business, the first thing to do is check the ICO website – it has loads of information for businesses of every size and sector. However, it can be a bit overwhelming and confusing,

If you’d like help, check out my website or drop me a line

None of this needs to be expensive and if you don’t actually want to bring someone in to do the work, I offer a package where I can send you a toolkit with everything you need to do it yourself.

At the end of the day, whatever it might cost to get your business compliant, it’s going to be a lot cheaper than a fine from the ICO.

Read other BBS recent articles: