Data protection and GDPR for small businesses

Data protection is no longer just for big or technology companies. Small and medium-sized ones have also to catch up. That is why we dedicate this article to data protection and GDPR for small businesses.

Since the General Data Protection Regulation (better known as GDPR) came into force in 2018, all companies that handle personal data in the European Union are obliged to comply with this regulation. And the UK is not free from that obligation either, thanks to the British version known as UK GDPR.

While the subject may seem daunting, it’s actually not as complicated as it sounds. Here we explain everything a small business needs to know to stay compliant with data protection and avoid any surprises.

What is GDPR and why you should care about?

The GDPR is an EU-drafted law designed to give individuals greater control and protection over their personal data. Essentially, it regulates how companies should collect, store and use that data.

For small businesses it means, for example, not being able to simply ask a customer for data such as their email or phone number without their consent or without good reason.

The UK version of the GDPR keeps the same basic rules after Brexit, so if you operate in the UK or deal with UK customers, you are also affected by this regulation.

What counts as personal data

Personal data is a broader term than it may at first appear. It includes names, surnames, email addresses, telephone numbers, bank cards, location data or IP-related data.

For example, if you run an online shop, store emails and customer data in an Excel sheet, you are handling personal data.

What small businesses should consider

It is essential that you always bear in mind a few very important details. Firstly, collect the strict necessary data or, in other words, do not ask for information you do not need.

Secondly, inform everyone clearly about their data protection rights. Your customers should know what data you are collecting, why, for how long and with whom you are sharing it. And that information must be accessible in one way or another.

It is vital that customers sign or agree to explicit consent, so do not offer pre-ticked boxes and encourage the customer to enquire.

Make sure data is stored securely. In other words, protect it. Establish strong passwords, up-to-date anti-virus and make regular backups. Customers have the right to access, correct, delete and object to the use of their data. And you must make it easy for them to do so.

Mailing list

This is one of the most sensitive points. For example, if you send out newsletters or promotional emails. If it is your case, make sure you have received verifiable consent and include a clear unsubscribe option in every email. And, of course, do not buy mailing lists from third parties, as this is illegal under the GDPR.

Possible sanctions

Small businesses do not escape the radar of the GDPR, which is not likely to miss anyone who violates the regulation. Penalties can reach up to €20 million in some cases or 4% of annual turnover.

Conclusion on data protection and GDPR for small businesses

Complying with GDPR may seem complicated, but once you understand the basics, it becomes much more manageable. Think of it as an opportunity to build a relationship of trust with your customers. By demonstrating that you take their privacy seriously, you also reinforce your brand image.

So, if you’re a small business in the UK, don’t leave data protection for later. The time to act is now.