GDPR And Your Business: Is Your Small Business Compliant?


While GDPR compliance no longer applies to the UK, there are still legitimate arguments supporting the need for all businesses to ensure they are GDPR compliant, regardless of their size. Whether you are a new small business owner or looking to avoid the terrible threes of GDPR, the reality is that businesses of all sizes are trusted with confidential customer data and need to take steps to ensure it is handled correctly. Additionally, while The Data Protection Act 1998 has been replaced by Data Protection Act 2018 and EU GDPR requirements do not apply, most of it has been incorporated into the UK GDPR legislation, meaning your business could be at risk if found to be non-compliant. So where do you start as a small business? Surprisingly, there are simple go-to ways to ensure your small business is GDPR compliant.

Educate Yourself On The UK Data Protection Act 2018

Since May 2018 the EU’s GDPR has been in effect. While the regulation stipulates that it applies to businesses with 250 or fewer employees, there are some exemptions that you should be aware of. The best way to become familiar with these regulations is to check out the ICO’s guide to GDPR.  For small businesses operating in the UK, they can use the ICO GDPR online checker tool to find out if they are exempted from these guidelines.

Also, be clear on when and where the Data Protection Act 2018 applies. For instance, if your business operates within Europe you may find that you need to adhere to both the UK GDPR and EU GDPR. So if you process transactions for EU customers, you will need to adhere to EU GDPR as well.

Run An Internal Audit Of Your Sensitive Data

Another critical step for small businesses to undertake is an internal business audit to identify the kinds of information you are processing, where the data is kept, and how it is processed. Businesses practicing long-term storage of personal customer records are expected to practice GDPR compliance. This allows you to quickly identify the potentially sensitive data that may pose a threat to the customer or your business. Information that is considered personal data like names, addresses, and email addresses will fall under this category. You are also required to separate sensitive and personal information. Sensitive personal information will include ethnicity, religious belief, and biometric data.

Don’t Forget To Register With The ICO

Finally, check if you need to register the business with the Information Commissioner’s Office (ICO). Businesses that are required to register but fail to do so can face legal prosecution. There are some exemptions such as businesses that only process personal data for payroll, public relations, or staff administration purposes. If you do need to register with the ICO, you can expect to pay a data protection fee, which ranges between £40 and £60 annually.

You may be asking yourself the question: is it worth the trouble of complying with GDPR for a small business? While it does involve some planning, ensuring your small business is GDPR compliant can save you a lot of trouble later on down the road- particularly financially. The penalty for violating GDPR is a fine of up to £18 million. Considering the implications of non-compliance, it is well worth the effort early on in the business.