What is GDPR and why does it matter for small businesses?

HOME / / What is GDPR and why does it matter for small businesses?

What is GDPR?

GDPR stands for General Data Protection Regulation and refers to a set of rules and regulations for data protection, which came into effect in back in 2018.

The regulation applies to all EU countries, plus the UK (since Brexit). Any business based outside the EU and UK which holds or processes personal data relating to nationals from this region (people who live in the UK or EU countries) will also be subject to the legislation.

The idea behind the GDPR is that all nations agree to maintain the same high standard of data protection. It also gives individuals more control over how their personal data is being used by organisations, including businesses.

Why does GDPR matter for small businesses?

GDPR applies to any business of any size, which is collecting, storing, processing or sharing people's personal data.

As a small business, it’s likely that you do some - if not all - of the above. For example, if you’re an online retail business and you collect a person’s name, address, and card details so that you can deliver the product and take payment, that would be collecting, storing and processing personal data.

If you deliver services to another business (known as B2B) rather than directly to customers (B2C) some personal data will still be exchanged, such as names, contact information and bank details on your invoices.

What counts as personal data?

The UK’s regulatory authority for data protection is the Information Commissioner’s Office (ICO).

According to the ICO;

"Personal data is information that relates to an identified or identifiable individual. What identifies an individual could be as simple as a name or a number or could include other identifiers such as an IP address or a cookie identifier, or other factors.

If it is possible to identify an individual directly from the information you are processing, then that information may be personal data."

Personal data only includes information relating to people who

  • can be identified or who are identifiable, directly from the information; or

  • can be indirectly identified from that information in combination with other information.

The key question to ask yourself when looking at the data your small business handles, is:

Could someone identify an individual from the information I have about them?

  • Looking at all the information you are processing, could you identify a particular individual from other individuals?

  • You don’t have to know someone’s name for them to be directly identifiable, a combination of other identifiers may be enough to identify the person.

  • If an individual is directly identifiable from the information, this may constitute personal data.

  • Information you hold which indirectly identifies an individual could also count as personal data.

Examples of personal data:
Telephone numbers, credit card details, employee/personnel number, a person's car number plate, their postal address, or email address.

What could go wrong if you don't follow GDPR?

If personal data is mishandled or a serious breach of data security occurs, it could have significant consequences for a business.

Under the GDPR, the ICO has significant ‘corrective powers’ which means they can issue fines of up to 20 million euros or 4% of a company’s global turnover (whichever is higher) in serious breaches of data security. So, it’s important to make sure that as a small business, you’re taking data protection seriously.

GDPR aims to give individuals more control over their own personal data, so when the legislation came in 2018 it tightened up restrictions around how businesses can market to individuals, particularly through mediums such as e-newsletters and cold calls.

Individuals can also request to see exactly what data an organisation holds on them and how it is being processed.

Data protection is an on-going commitment

Protecting the information of the people who come into contact with your business is not a one-off task: it is an ongoing responsibility that business owners need to take seriously, even if your business is currently just you!

The ICO have put together a wealth of resources relating to GDPR, aimed specifically at small organisations: https://ico.org.uk/for-organisations/business/

FutureLearn also offers a range of courses relating to GDPR – Just follow the link below and type ‘GDPR’ into the search bar and all of the relevant courses will appear: futurelearn.com

For just about everything else you need to know to start, run and grow your business, head over to Smarta. You'll find short business courses for entrepreneurs, sole traders, startups and growing companies.

ABOUT THE AUTHOR: Amy Knight
Amy Knight
Amy is a content writer specialising in entrepreneurship and finance. She has written many blogs for Transmit and for Smarta, as well as contributing to our digital communications strategy. Amy is the founder of Dottem & Crossem, a communications agency based in Buckinghamshire, and is the author of the 2021 children’s book ‘There’s Two Of Us Now’.

"We’re delighted to be the 2000th loan recipients!"

JO CARTER – DUKES GASTROPUB

Money Lent

£ 178,219,784

Entrepreneurs Backed

15380
APPLY FOR A START UP LOAN
Find out how much you can borrow with our Start Up Loans Calculator