All posts

The GDPR and small businesses

With the deadline for the new regulation arriving quickly (May 25th!), many businesses are still working to ensure that their data collection and handling procedures comply. Information surrounding whether the GDPR applies to small businesses has been confusing to say the least, but the answer to ‘Does the GDPR affects small businesses?’ is quite simply: yes.

There are some slightly different stipulations depending on the size of a business, however, the general requirements of the GDPR apply equally to small businesses, no matter how small. The main concern is the collection and processing of personal data, which, today, can be easily done by businesses of any size.

The GDPR affects all businesses operating in the EU if they handle personal data, no matter the size

Is GDPR different for small businesses?

The short answer is no - every business operating in the EU (yes, this includes those in the UK, despite Brexit occurring in 2019). Even businesses that are not based in the EU but gather and/or process personal data from EU citizens or sources will need to take the appropriate steps to ensure total compliance or face the staggering fines.

Businesses found in violation of the GDPR will be fined up to €20 million or 4% of the annual turnover. The penalty fines indicate that the cost of violating data practices is severe, and reinforces the importance of ensuring compliance by the deadline.

Small businesses are not exempt from these requirements. However, for those with fewer than 250 employees, you must keep records of any data that you handle related to the processing of data if a breach of that data could mean an infringement of an individual’s rights or if they’re related to criminal records.

What is personal data?

The GDPR centres around personal data, but what exactly is considered personal data? This is another element that is being standardised, to ensure that the information that falls under this category is identical across the EU, as it now differs between countries.

It’s important to note that under the GDPR, the term ‘personal data’ includes a much wider range of data than many current definitions. The new regulation states that personal data includes any individual’s:

  • Name
  • Address
  • Location
  • Income details
  • Health information
  • Online identifier
  • Cultural background

And many more. If you obtain any data of this kind in your business, it is considered personal data and your business must therefore be fully compliant with the GDPR.

What small businesses should do to prepare

In the UK, the Information Commissioner’s Office (ICO) has published a useful 12-step guide to preparing your business properly to comply with the GDPR. We’ve broken it down here:

  1. Examine data: conduct a thorough analysis of what kind of data your business gathers and how that data is handled.
  2. Determine consent: if any of the data you gather is considered personal data (as mentioned, the GDPR definition of what is considered personal data is broad), you will need to request consent to do so, or to send marketing materials.
  3. Improve security: part of the GDPR involves increasing security measures to prevent breaches of personal data held by your business. This can include encryption, for example.
  4. Provide access: you must allow any individual to export or request their data held by your business. They can also request full deletion of their data under the ‘right to be forgotten’.
  5. Check partners: double check that any other businesses or service providers you work with or share data with comply with the GDPR so that you can avoid any unnecessary complications.
  6. Be transparent: under the GDPR, you must state openly why the personal data of individuals is being collected and what it is being used for - often this will require them agreeing to your Terms & Conditions and Data Processing Agreement.
  7. Conduct training: if you work with employees, create a workshop to make sure they’re up-to-speed on what the new regulation means for the business and how data should be handled moving forward.
  8. Hire DPO: a Data Protection Officer is not necessary but can be required in the event that your business works with specific, potentially sensitive data or with “regular and systematic monitoring of data subjects on a large scale”.

Sole traders and the GDPR

This blogpost has focused on small businesses, although sole traders are not exempt either. If your business involves any gathering or use of personal data, then the same steps must be taken to ensure that you comply.

While it may involve some up-front costs to ensure compliance, the high fines have made it very worthwhile to invest time and effort into total compliance before the deadline.

Debitoor and the GDPR

The security of the data of our users is paramount at Debitoor so we have taken extra steps to analyse our current data handling process and what needed to be changed and updated in order to achieve compliance.

We broke it down to a three-phase process so that we could accurately address each element that was required. You can read more about the steps that Debitoor took and how we collect and process data on our GDPR x Debitoor page.