Wanna get our awesome news?
We will send you emails only several times per week. Isn't that cool?

Actually we will not spam you and keep your personal data secure

Select Page


The General Data Protection Regulation 2016/679 is a regulation in EU law on data protection and privacy in the European Union and the European Economic Area

GDPR Overview

The General Data Protection Regulation GDPR) is a legal framework that sets guidelines for the collection and processing of personal information, established by the European Union. The reasoning behind this legislation, (which came into effect in May 2018) is to help align existing data protection protocols while increasing the levels of protection for individuals.


How does GDPR affect small business?

GDPR requirements apply to all businesses large and small, although some exceptions exist for SMEs.

Understand your GDPR responsibilities

GDPR introduced two new terms to describe the person, company or organisation who is collecting and processing data. These are Data controller and Data Processor.

What determines ‘data?’

Data comes in many forms and covers a wide range of information, including names and addresses, financial records and bank details, staff employment records and even dates of birth.

Data Protection

This law brought existing legislation up to par with the connected digital age we live in and was designed to help customers gain a greater level of control over their data, while offering more transparency throughout the “data collection and use” process.
Since data collection is such a normal and integral aspect of our lives both on a personal and business level, the security of this data is sometimes overlooked.

Following the introduction of GDPR, If your business collects, stores or processes personally identifiable information from EU citizens, then GDPR will apply to you, so put simply, this is a regulation that you’ll want to take seriously as failure to comply can result in huge fines and potentially irreparable damage to your business’s reputation.


So, what do you have to do to ensure your business is GDPR compliant?

The European Union General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA) sets out the principles, subject rights and obligations in which you must follow to protect the rights and freedoms of individuals.

To this end, everyone who has access to customers and individual’s personal data will be expected to treat the data with the utmost integrity and confidentiality.

How does GDPR affect small business?

GDPR requirements apply to all businesses large and small, although some exceptions exist for SMEs. Companies with fewer than 250 employees are not required to keep records of their processing activities unless it’s a regular activity, concerns sensitive information or the data could threaten individuals’ rights.

If your business holds some form of personal information about customers, ranging from email and postal address through to health and financial details, then it’s essential that your business is GDPR compliant, no matter your company size. Serious breaches of GDPR regulations carry a steep fine of up to 4% of the turnover of your business or €20m whichever is higher.

Understand your GDPR responsibilities

GDPR introduced two new terms to describe the person, company or organisation who is collecting and processing data. These are Data controller and Data Processor.

The person/people within your organisation undertaking these roles must be compliant with GDPR and are central to any GDPR compliance checklist for small businesses.


  • Data controller
    This is the person or business that determines how and why personal data is collected. The data controller must ensure the business is fully compliant with GDPR including transparency, data storage, data confidentiality and accuracy of data collected and stored. They are also responsible for notifying the Information Commissioner’s Office (ICO) if a data breach occurs or data is stolen or lost by your business.
  • Data processor
    This the name given to the person or business responsible for processing personal data on behalf of a controller. This will encompass anyone with access to personal information and who uses it in any way, such as creating and sending marketing emails. A processor must ensure data is processed in line with GDPR requirements and record processing activities. They must also ensure appropriate security when handling data.

What determines ‘data?’

Data comes in many forms and covers a wide range of information, including names and addresses, financial records and bank details, staff employment records and even dates of birth.
GDPR requires that you hold only the necessary data and only for as short a time as possible. Stockpiling data or holding databases with old customer data is likely to fall foul of GDPR.

GDPR also defines some ‘special categories of personal data’. This covers personal information such as political affiliation, religious beliefs, sexual orientation, trade union membership, racial and ethnic origin. This is data that could be misused to discriminate against an individual. You’ll therefore need to be able to demonstrate you had explicit consent from an individual to store any special categories of personal data, should your business be audited.

Ensure you have a data consent policy

Ensure you have a data consent policy
To acquire and store personal information, you must first obtain clear and explicit consent that it is freely given by the individual. This means you must clearly explain what personal information your business is collecting and how it will be used. The individual must actively agree to this. If not, you are not permitted to capture and store this data under any circumstances.

This also includes conditional data collection, i.e.where data is collected as a condition of using a service, such as offering an incentive to sign-up to a newsletter and then using that data for marketing.
To comply with GDPR, your business must be able to show that you have obtained consent for the data you hold. Not having a record of consent runs the risk of a fine.
Note: you can’t rely on a lack of response or pre-ticked checkboxes as a sign of consent.

Your business must also provide easy ways for the individual to opt out in the future, such as having an ‘unsubscribe’ option at the bottom of all generic mass mailouts sent for marketing purposes etc.

Regular disposal of old data

As part of any GDPR compliance checklist for small businesses, it’s a vital step to audit the data you hold and put in place policies that determine how long it can be stored. For example, a policy could determine that data belonging to a lapsed customer who has not engaged with your business for 12 months is deleted. 

Set up regular data reviews to ensure data is not kept longer than necessary. Any EU citizen can request access to all the data you hold about them in its entirety, known as a Subject Access Request (SAR). This can be anything from referring to them in email messages to customer records and electronic notes. They also have the right to correct any inaccurate data you hold and to request you delete data entirely.

Dealing with a SAR is time-consuming, and your business may need to trawl through hundreds of documents and data entries, compile data into a report, and correct any inaccuracies, so it makes sense not to hold personal data for any longer than you need to. A strict 30-day time limit applies for completing a SAR, so have a plan in place to handle requests from staff, suppliers and customers.

Staff Training

Ignorance is no excuse in the eyes of the law, and some simple staff training could make all the difference. An inadvertent data breach such as an employee losing a USB memory stick with customer data on it outside the office could result in a heavy fine, so it’s important everyone who has access to personal data knows their responsibilities
Ensure you also teach staff to recognise what constitutes a data breach, as any such breach must be reported to the Information Commissioners Office within 72 hours of it happening. The report must detail how the breach occurred, what is being done to contain it and the next steps the business plans.

Data storage and security

Personal data can be located in lots of places – from email inboxes, customer databases, mobile phones and increasingly third-party cloud-based services such as Dropbox and Microsoft Office 365. Unfortunately, GDPR covers all data no matter where it is stored.

To ensure you can demonstrate you know exactly where customer data is stored it’s useful to create a data processing and storage policy. This should determine where customer data is secured, how it is protected such as encrypting the data and who has access to it. Data processors may need access to elements of data such as phone numbers or mailing addresses, so you’ll need to define the process of how that data is accessed and under what circumstances.

You should also have a plan for how data is transferred, as data is most vulnerable when it is moved, such as between departments or shared with third-party providers to deliver a customer service. You should have limitations in place to determine how data is taken out of the business for example on laptops or USB memory sticks, and who is authorised to do so.

In the event of a data breach such as misplacing a laptop with customer details on it, previously ensuring all data is encrypted can significantly reduce the fine your business would face if there was a data breach.

if your business has just a handful of staff, it makes sense to nominate one person to be responsible for data. This means someone takes ownership of GDPR compliance and can ensure your business meets regulations.

Are your suppliers GDPR compliant?

Small businesses often rely on a network of contractors and suppliers. Even if your business is GDPR compliant, you must ensure suppliers and contractors are also GDPR compliant. Small businesses are exempt unless they’re working with a larger business that has more than 250 employees, in which case they can fall foul of GDPR if the larger business is not compliant.
The quickest way is to ask suppliers to complete a GDPR compliance form detailing how they handle data, security and storage procedures, and what type of data they handle. You can send them a GDPR compliance checklist for small businesses for them to complete. Ensure contracts specifically refer to a supplier or contractor being GDPR compliant. Include the right to audit their business if needed, such as making an on-site visit to review their data processing arrangements.

To summarise, data handling must be fair and transparent, so you will need to create a document explaining how your business deals with data.
Known as Fair Processing Notices (FPNs), these documents should be available to view on your website. They should detail how you capture data, how you process and store it, and how an individual can request access to it via a Subject Access Request (SAR).

Find the Best Information On GDPR

Starting a new business do you need to look at GDPR?

Exciting Futures  was created as an all-in-one solution by bringing together the tools or services you may need to run your business! When you map out your business model, GDPR may be one of the overall parts your business needs to review if required and next steps.

How to start a business

How to start a business in uk

How to start a small business

How to start a cleaning business

How to start a business with no money

How to start up a business

How to start a business from home

Join Our Weekly Updates

Explode your business to the next level

Starting Your Own Business GDPR