What does GDPR mean for small businesses?

Unless you’ve been living on a desert island with no means of communicating with the outside world, you’ll have heard of GDPR by now. You can’t avoid it, and the number of communications you’ll have received about it have only increased. In fact, it’s highly likely that, by now, you’re getting a little fed up with all the emails hitting your inbox letting you know what other companies are doing about GDPR. But is what’s relevant to global corporations like Google, Apple and Ebay the same for smaller operations more local to the UK? What, in the end, is the General Data Protection Regulation all about? And what does GDPR mean for small businesses?

GDPR is a EU regulation put in place to both strengthen and unify data protection for individuals within the European Union. In short, it gives people more control over their personal data. It begins this month – as you’ll no doubt be aware, on the 25th May – with stricter regulations in place and tougher fines across all industries.

So what does GDPR mean for small businesses like yours? Well, if you process personal data of EU citizens, then its regulations apply. And, while the regulations are, in the main, targeting big business or, more importantly, anyone who might share or use that data in an unethical manner, its rules are designed to be uniform across all sectors – whatever size your business is.

Is GDPR a bit of a minefield? Maybe. But it’s sentiment is very positive and, in fact, by taking this seriously and showing your customers that you care about their personal details, it presents your business in a positive light. If you’re wondering ‘what does GDPR mean for small businesses like mine’, then, here is a short list of actions you might need to take:

• You should know your data and, as a company, know how you are using it
• Make sure all employees are aware of their responsibilities toward data protection
• Take a look at what customer, staff or supplier information you hold
• Then take a look at who that might be shared with and whether it really should be
• Encrypt sensitive information that you know should not be exposed
• You must check your security is up-to-date as it needs to be GDPR compliant
• Your privacy policy must be clearly communicated and GDPR compliant too
• Know how you would delete personal information electronically if required
• Be prepared for data access requests and know how you would deal with this
• Be clear on how you seek, record and manage content
• Know how to deal with a data breach and the procedures to report/investigate
• Familiarise yourself with the ICO’s code of conduct and guidance from article 29
• Work out whether you need to designate a Data Protection Officer (DPO)

What does GDPR mean for small businesses then? In short, if you do hold personal details for your customers, you need to make sure you hold them legally, that the information is protected and not abused, and that it can be safely deleted at any request. The fines and scaremongering that are widely reported aren’t likely to affect most small business owners. And, if your data protection policies have been in line with what’s been in place for decades, you might only need to make a few small incremental changes. A broader guide on GDPR can be found here.