Frequently Asked Questions

Below you'll find answers to the questions most asked about data protection for small businesses and GDPR for micro businesses.

These Q&A's form the most generic and important GDPR information for any non-compliant business owner to be made aware of. From this they can decide if they should take legal advice, comply with the law and ensure their business is compliant. After all, it is they who risk GDPR fines, a criminal record and the possible loss of their business.

The General Data Protection Regulation (GDPR) is a regulation in EU law relating to data protection and privacy for all individuals. Why and how it affects most SME's, small businesses and micro businesses is answered in the GDPR consultant's GDPR summary
Wrong. GDPR applies to all businesses, including yours, if you are:

  • A self employed person running any type of SME or micro business
  • A self employed person running a home based business
  • A franchisee or a franchisor
  • A charity
  • A place of worship
  • A self employed sales person
  • Involved with any type of online or offline business opportunity
  • Operating an MLM network marketing business
Ask yourself how regularly your business deals with personal data. That includes customers, suppliers, and employees past and present. And is there anything else you've collected that doesn’t fall into any of these groups? No matter the business size or sector, if your businessn is handling personal data then it is critical that your GDPR assessment is taken as seriously as possible.
If you bear in mind that places of worship and charities are not even exempt, then probably not. Many small business owners believe they are exempt from GDPR, based on hearsay from friends or colleagues, their own inaccurate interpretation of the regulation, or after incorrect use of the ICO self-assessment tool. The ICO clearly state their guidance focuses on the general application of the GDPR, not specific sectors or individual businesses. To ensure your business is exempt, you are advised to take advantage of free GDPR legal advice to confirm this.
Personal data means information that can be used to identify a person. That includes a name, address, telephone number, ID number or even a CCTV image. If your business collects any small amount of personal data, offline and/or online, you must comply with the GDPR.
Generally speaking a Controller is the person who owns the collected data and a Processor is a person who processes data on behalf of a Controller. However you can collect data yourself and process it on behalf of others and therefore be both. Or, as in the case of many small businesses, you will be collecting, controling and processing data yourself, and therefore be both.
Without appropriate policies and procedures in place, non-compliance will be obvious to any knowledgable client, supplier or member of staff. People are becoming far more bothered about their data and there will be consequences when data subjects start exercising their rights under GDPR, and in many cases making victims of small businesses. Even where a personal grievance, rivalry or grudge exists, a non-compliant business could find themselves reported to the regulator.
As well as individuals who have been affected by your non-compliance, being able to take legal action against you and claim compensation, you could be hit by any of the different GDPR fines.
There are different GDPR fines for non-compliance, depending on the severity of the breach. The maximum GDPR fine for the most serious infringements is up to 4% of the company’s turnover, or £17m, whichever turns out to be the highest. For less serious breaches (such as inadequate record keeping), companies can be fined up to 2% of their turnover, or £8m. Any small business can face an initial GDPR fine of £500 for trading without an ICO licence, before further investigation from the regulator.
Aside from the fact that you will be abiding by the law and not leaving your business at risk from ICO action or GDPR fines, there are a host of other benefits that GDPR implementation can bring to your business. Here are just a few:

  • Data breaches are happening more than ever, and being GDPR certified gives your business an added security factor.
  • By demonstrating GDPR compliancy, companies are likely to benefit from greater levels of trust with their customers.
  • People aren’t keen on having their data lost or misused, so protecting your clients from this might be a unique selling point.
  • A well considered information handling process will reflect extremely well on any business with their suppliers and staff.
Many businesses are already reaping the benefits of GDPR compliance via GDPR accreditation and certification. Just by understanding the required and updated criteria for becoming a preferred supplier will only become more important in the future.
Be assured, it's not just you. Many small business owners find the whole subject of GDPR far too complicated to deal with, and while they want to comply and avoid any unnecessary issues or GDPR fines, they just don't know where to start. This is where the independent Small Business GDPR Consultant can bridge the gap, introduce them to specialised GDPR legal representation, who can then advise and assist further with their GDPR implementation.
The Small Business GDPR Consultant works with a specialist GDPR and data protection law firm who help with GDPR for small businesses. The information you provide via the free GDPR legal advice form is assessed before a GDPR legal consultant calls you to discuss obligations specific to your business. The consultation will take no more than 10 minutes and is free of charge. You can then either be confident that your business is already fully GDPR compliant, or be made aware of the steps you need to take to ensure your legal compliance. Where any compliancy services are necessary, the GDPR legal consultant can discuss these with you.
Absorbing the requirements of GDPR need not be a costly ordeal. Much depends on where you currently are in terms of data protection and the complexity, volume and sensitivity of the personal data you hold. Any business wary of investing or trying to cut corners with GDPR compliance, is at risk of encountering far higher costs as a result of non-compliance. As well as shielding you from the possibility of fines, investing in compliance can help you position yourself as a data protection "champion" and potentially provide a valuable competitive edge. Also, any business which suffers a data breach is at risk of experiencing reputational damage. Before considering the potential cost of achieving compliance, a business owner should be taking advantage of a free legal GDPR consultation for advice specific to their circumstances.