Small business guides

Your invoicing & accounting software

Data protection in your business

Introduced in 2018, the new data protection laws in the EU are a major step for privacy and a big obligation for all businesses dealing with relevant data. Here’s what you need to know.


The protection of private data gathered by businesses, organisations, and governments has become an issue of concern in the last decade. The sheer volume of data that is available is staggering, and it became clear that additional parameters were needed when it comes to handling that information.

On May 25th, 2018, the General Data Protection Regulation (GDPR) was introduced for all European Union countries, as well as for any businesses gathering and/or handling the data of EU citizens and residents.

No matter which device your customers use, data gathering and handling regulations apply

Who must comply with the new regulations

Any business or organisation, no matter the size, that deals with the data of EU individuals must adhere to the requirements outlined in the GDPR.

This likely means that almost every business must understand and take steps to ensure compliance because it’s inevitable that businesses deal with customers and customer data. Customer data covers a broad range of information - more on that below.

Data protection regulations

In the UK, the Data Protection Act of 2018 is the nation-wide implementation of the GDPR. It updated the Data Protection Act of 1998, which stated that individuals should have the option of controlling information about themselves.

The DPA of 2018 updated this and included the regulations brought about across the EU. One of the primary aims of the GDPR is to create one set of regulations for all countries, creating more coherence and unity when it comes to the handling of personal data.

It is also implemented in order to bring the data protection regulations in all EU countries up-to-date. With the speed at which technology changes and businesses find ways to use customer information, it’s crucial that the regulations keep up.

What a business must do to comply with the GDPR

Whether you run a small business, are a sole trader, or even a freelancer, if you deal with any personal information of customers, you must fulfill the following obligations:

1. Personal data

The first part of managing data is to clearly indicate what kind of data you will be gathering and how this data will be used. Businesses typically provide a dedicated web page, for example, with this information easily accessible to customers.

Data includes any personal details of a customer: from name and email address to order history and billing information. It’s important to make clear what is needed to do business and how it is used.

The period of time that the data will be kept must be included, as well as whether a Data Protection Officer (DPO) is appointed in the business. It should also be clear what will occur if the necessary data is not collected (for example, if it potentially hinders the customer’s experience).

It is important to receive express consent from customers concerning the gathering and use of the data they provide for the purposes that you intend. If your business has previously requested consent for the 1998 DPA or for other purposes, this is not valid for the GDPR. You will need to ensure express consent for the new regulations.

3. Notification of security infractions

The next important aspect of the GDPR is that any security issues that arise that could potentially threaten the security of the customers’ data must be reported within 72 hours.

While this might seem slightly vague, it’s in fact a very clear requirement. The customer must be informed of any breach within the specified time frame. They must be told how the breach occurred, what data might be exposed, and the measures being taken to rectify the incident.

The GDPR clearly states that this refers to the unauthorised access or theft of any information considered personal data.

4. Data Protection Officer (DPO)

The DPO is a new element introduced with the GDPR and involves the election of an individual within a company or organisation who acts as a representative and advisor when it comes to the gathering and handling of private data. The DPO ensures GDPR compliance across a business.

In addition to acting as an internal reference point, the DPO is also the spokesperson for the company in communications with the authorities (the Information Commissioner’s Office (ICO) in the UK), as well as responding directly to any parties with specific questions about data management. The DPO can be an existing employee or an external individual who is involved in the business for this service.

It is not mandatory that all businesses have a DPO, however if it falls under any of the following categories, a DPO must be appointed:

  • The business is a public body or authority
  • The business works regularly with the gathering, processing, and management of large amounts of personal data
  • The business deals regularly with highly personal data such as religion, health, race, or criminal offenses

Again, this applies to businesses of any size that deal with data.

5. Data Protection Impact Assessment (DPIA)

When a business deals with personal data, especially involving newer technology such as with accounting and invoicing software it is required to undertake an evaluation of any potential risks to data security as well as develop measures necessary to address the risks.

The DPIA is required for most businesses that have web pages from which data is gathered on visitors. If a DPO has been appointed, they should be involved in the assessment, and ensure that all measures taken comply with regulations.

Penalties for breaching data regulations

GDPR compliance is mandatory. Any failure to comply, whether it’s in not implementing the new measures or in delaying the reporting of a security breach, will face potentially serious penalties.

Any violation can result in a fine of up to 20 million euros or 4% of the business’ turnover from the previous year.

The heavy penalties are a clear indicator that this is not an issue to be taken lightly. The GDPR is here to stay so if you have any concerns, it’s best to speak with a data protection expert to avoid any worry that your business might not be compliant.