GDPR for small businesses: What it means for you

Man checking GDPR compliance

It's been more than three years since the General Data Protection Regulation (GDPR), and the UK Data Protection Act 2018 came into force, with organisations of all sizes expected to be up to scratch with their compliance procedures.

The new regulations have already seen the UK's data regulator set an example using the data breaches affecting British Airways and the Marriott hotel chain. These investigations have resulted in notices to fine the two companies £183 million and £99 million respectively.

However, while larger corporations have so far faced the toughest action, it's just as important for small businesses to adhere to the rules, given that fines can be scaled by a percentage of revenue. Although in the case of smaller companies, violations aren’t likely to generate fines that hit the eye-watering levels that we've so far seen, they'll have a significant impact on that business’

Unfortunately, for smaller businesses, the added dimension of Brexit may also play a role in disrupting day-to-day operations once the UK has fully left the EU. While GDPR will be enshrined into UK law as part of the European Withdrawal act, the limited ways in which UK businesses are legally able to receive data from the EU will hit small businesses the hardest, should the UK fail to reach a data adequacy agreement.

Do I need to abide by GDPR?

Yes, you do. There's a lot of misinformation floating around the internet on this topic, especially when it comes to the UK's relationship with the EU.

Fundamentally, GDPR will still apply to the UK after it leaves the European Union. Not only have the principles of GDPR already been applied to UK law in the form of the Data Protection Act 2018, the EU's data laws will also be enshrined into the UK law as part of the European Withdrawal Act.

That means that the UK's Information Commissioner's Office (ICO) will use the DPA 2018 and GDPR side by side when dealing with instances of data misuse in the UK.

How GDPR applies to small businesses

Generally speaking, most articles of GDPR apply to both large and small businesses. In that sense, small businesses need to follow the same rules and advice set out in our comprehensive GDPR guide.

Some differences do exist, however. In Article 30 of GDPR, small businesses with fewer than 250 employees are exempt from having to keep records of their processing activities, whether that's in the capacity of a controller or processor. This exemption is removed if the processing is likely to create risk to the rights and freedoms of data subjects, or if processing happens on a regular basis.

It's also generally understood that small businesses have fewer resources than larger organisations, and therefore the Information Commissioner's Office will take into account any difficulties a smaller firm might encounter when trying to comply with the new laws.

Aside from these minor stipulations, small businesses should consider themselves equal to larger firms in the eyes of GDPR. This includes keeping internal records if you do not meet the exemption criteria.

What's more, given the nature of joint liability established with GDPR, small businesses that find themselves dealing with larger corporations will need to comply with those same legal requirements.

Do I need a data protection officer?

Yes, you might. The factors behind whether or not you need such an officer are based on what data you collect, and how much you collect, rather than the size of your business. If your central purpose requires "regular and systematic monitoring of data subjects on a large scale" then you must appoint a data protection officer.

You must also appoint one if you collect records of criminal convictions, or ethnicity, religious or philosophical beliefs, political opinions, trade union membership details, health, sex life, or sexual orientation data on a large scale.

The EU does state that "a group" may employ one data protection officer between them, as long as the officer is readily available to each organisation.

The data protection officer is there to "inform and advise" on data collection practices and monitor compliance, as well as acting as the point of contact with the data protection authority, which in the UK is the Information Commissioner's Office.

What fines must I pay for getting it wrong?

Organisations face fines of up to 2% of their annual turnover or €10 million, whichever is higher, for infringing the GDPR code of practice, which includes failing to meet compliance requirements and inadequately assessing risk as part of a data protection impact assessment.

For actual breaches of people's personal data, that rises to 4% of turnover or €20 million, whichever is higher.

The "whichever is higher" is the key phrase for SMBs, who could be financially ruined by a data breach, meaning the risks are just as big - if not bigger - than for a multinational enterprise that could absorb the penalty in its next financial quarter without too much of an impact on its stock price.

However, these fines must also be "proportionate" (a key fact vendors offering data protection services often forget to mention). If you can prove (with extensive record-keeping and your data protection impact assessment) your policies and governance framework are designed to adhere to GDPR, but you still suffer a breach, the ICO would be unlikely to levy a harsh fine against you.

If, however, you cannot prove you've made any effort to comply with GDPR, and look ignorant of the law, the ICO will be more likely to issue a higher fine.

Should I be 100% GDPR compliant by now?

Although GDPR is now several years old, most companies are yet to be fully compliant with GDPR. In fact, it's arguably impossible to be 100% compliant as some of the regulation's provisions are incompatible with some of the existing legal requirements UK businesses face, such as tax law.

The good news is that the ICO is sensitive to this issue, and provided you are demonstrating a will to abide by the new regulations, you're unlikely to receive a visit from an enforcement officer.

However, there are some clear steps to take to align your internal processes and practices with the data protection rules. A great place to start is to take a look at the ICO's 12-step guide to preparing for GDPR.

Some highlights here for SMBs are:

Conduct a data protection impact assessment (DPIA) - one of the key responsibilities under GDPR, all businesses are required to assess the level of risk that their data processing could pose to the rights and freedoms of data subjects. If you are able to show you have thought ahead and carefully considered how your processing may affect customers, this will go a long way to demonstrating your commitment to the new laws.

Document what personal data you hold - understand what personal data you hold, where it came from, who you share it with what it was collected for, and whether it's still relevant and necessary for the purposes you collected it.

Ensure you can honour citizens' data requests - under GDPR, EU citizens can request that you delete, amend, or move their data to a different organisation. Your processes and technology must make it possible to honour these requests (read 'demands') within one month.

Establish a lawful basis for processing data - under GDPR, opt-out boxes aren't good enough anymore. Instead, you must establish a lawful basis for processing a citizen's data. If it's consent, this must be opt-in, and a citizen will only give their permission for their data to be processed for a limited period of time, for a narrowly defined purpose. Consent may also be withdrawn, so it's wise to consider what other lawful basis you can use to process data.

Prepare for data breaches - ensure your processes enable you to notify the data protection authority of a data breach within 72 hours of becoming aware of it.

Appoint a data protection officer - as discussed above, a DPO is an essential part of GDPR for businesses performing large-scale data processing. Appoint one sooner rather than later if this role is one your company must designate under the legislation.

How Brexit will affect small businesses

When GDPR came into force several years ago, one of the biggest concerns at the time was what the uncertain relationship between the UK and the EU might mean for businesses’ capacity to move data across borders. The biggest worry was that a no-deal Brexit would put a stop to data transfers from EU territories to the UK, meaning small UK businesses storing data in Europe for any particular reason would face monumental disruption and high costs.

These issues were down to the lack of a data adequacy agreement between the EU and the UK, which is required for data to be allowed to migrate between the EU and a third country - a classification the UK now finds itself in. Since the Withdrawal Agreement didn’t contain any provisions for an adequacy agreement, the EU was compelled to conduct an assessment as to whether the UK’s laws were sufficiently harmonised with its own.

Without an adequacy agreement, businesses would need to rely on either standard contractual clauses (SCCs) or binding corporate rules, which are expensive channels that require heavy legal consultation. This is something small businesses would have struggled with. What's more, the European Court of Justice was at one stage considering the legal validity of SCCs. A ruling last June declared that while the Privacy Shield was no longer valid as a mechanism for transferring data between the UK and US, SCCs were still usable.

Following a few months of delay, the UK was finally awarded a provisional adequacy agreement in February this year, which was formalised in June. The agreement, however, allows the EU to reassess whether the UK’s data protection laws are in sync with GDPR every four years, and it also doesn’t stop legal challenges.

Dale Walker

Dale Walker is the Managing Editor of ITPro, and its sibling sites CloudPro and ChannelPro. Dale has a keen interest in IT regulations, data protection, and cyber security. He spent a number of years reporting for ITPro from numerous domestic and international events, including IBM, Red Hat, Google, and has been a regular reporter for Microsoft's various yearly showcases, including Ignite.