8 top tips for small businesses striving for GDPR compliance

GDPR and data for small business

How compliant is your business?

It’s been just over a year now since the General Data Protection Regulation (GDPR) came into effect. The 25 May 2018 marks the date that the member countries of the EU agreed to comply by regulations that aim to bolster the rights that citizens of the EU have over their data which is held by companies [1].

Now that the dust has settled, the impact of GDPR on how businesses handle data can already be seen. Some changes to processes such as deletion of data after its intended use are more obvious examples whilst a more general mindset change for businesses has been achieved. Data protection and privacy have been moved from a back office, often ignored compliance matter to an important issue that is on the agenda of almost all companies, large and small [2].

On the customer side, there’s also been a mentality shift– consumers are now more aware of their rights concerning the personal data that is being collected and processed about them.

However, GDPR is a different proposition for larger businesses compared to what it means for smaller businesses.

Large companies usually have specialist staff and departments to monitor and manage compliance issues and regulation whilst this is not often the case for smaller firms which may lack the expertise to do so.

As GDPR applies across the board to all EU based businesses, we’ve collated from xero.com [3] and simplybusiness.co.uk [4], our chosen 8 top useful tips for small business owners to help embrace and navigate the GDPR-compliant environment:


1. Understand your data

Make sure you know the difference between personal (e.g. name, address, email) and personal sensitive data (e.g. religious views, political opinions). Also, be clear on where the data is coming from, where it is sent and how you use it


2. Products/services oversight

You need to know which of your products/services result in the collection and processing of personal data and you must have a legal basis to process it


3. Subject Access Requests (SARs)

Ensure you’re able to deliver on the obligations you have to your customers – for example, the right of access to their personal data, the right to rectify inaccurate information and the right to have it erased.

Each request carries a timeframe and deadline of one month from the original date of request


4. Review notices and contracts

Your internal and external notices must be up to date and your customer contracts must also be GDPR compliant


5. Assign responsibility

Someone in your organisation needs to be responsible for data protection, privacy and regulation. You could go as far as to appoint a Data Protection Officer (DPO) specifically to deal with GDPR related matters or simply assign these responsibilities to an existing employee


6. Upskill your employees

Your employees need to know what a personal data breach is, how to spot one and what to do next. It could be worth creating processes to flag up any potential breaches to help facilitate this. Serious data breaches need to be reported within 72 hours plus your employees should be aware that there is a need to report any data breach related mistakes to the assigned DPO or equivalent


7. Tighten security

The systems you use to collect, process and store personal data should be secure.

A way you could help achieve this is to use encryption broadly as a form of damage-limitation in the case of a data breach


8. Scrutinise your supply chain

All of your suppliers and contractors need to be GDPR-compliant as well. You could be impacted by any breaches and penalties imposed on your suppliers should they not be adhering to the regulation. Check the contract terms you have in place with suppliers too

Hopefully, you and your business are already on top of the new(ish) regulation that helps protect people’s personal data, but we hope these tips may help you think further about things you could be doing to protect not only your customers but your business too from subsequent penalties resulting from lack of compliance.

[1] https://www.itpro.co.uk/it-legislation/27814/what-is-gdpr-everything-you-need-to-know

[2] https://www.techrepublic.com/article/how-has-gdpr-actually-affected-businesses/

[3] https://www.xero.com/uk/resources/small-business-guides/business-management/gdpr-explained-for-small-business-and-advisors/

[4] https://www.simplybusiness.co.uk/knowledge/articles/2017/11/what-is-gdpr-for-small-business/

The views, opinions and positions expressed within the British Gas Business Blog are those of the author alone and do not represent those of British Gas. The accuracy, completeness and validity of any statements made within this blog are not guaranteed. British Gas accepts no liability for any errors, omissions or representations. The copyright in the content within the British Gas Business Blog belongs to the authors of such content and any liability with regards to infringement of intellectual property rights remains with them. For more information about the mix of fuels used to generate our electricity simply visit britishgas.co.uk/business/about-us. You can find information about how to make a complaint at britishgas.co.uk/business/complaints.