What is GDPR?

Adopted in April 2016 and enforced in May 2018, many small business owners are still asking: “What is GDPR?”

The General Data Protection Regulation (GDPR) is a regulation in EU law relating to data protection and privacy for all individuals. The aim of the law is to prevent people or organisations from holding and using inaccurate information on individuals, whether relating to private lives or business. Now part of UK law, it applies to any type and size of business, including those classed as an SME, micro business or home based business. If you intend to operate within the law, your business must be GDPR compliant.

GDPR expands the rights of individuals to control how their personal data is collected and processed, and places a range of obligations on business owners to be more accountable for data protection. It is designed to give the public confidence about the use of their personal information and requires businesses to keep personal data safe and secure and ensure it is not misused. Very few small businesses are unaffected, and without GDPR compliance they risk a hefty fine, a criminal record and perhaps the loss of their business.

It cannot be emphasised enough that GDPR compliance is not simply a box ticking exercise; the regulation demands that you are able to demonstrate your compliance, ensure appropriate policies and procedures are in place, and build a workplace culture of data privacy. Most business owners are astonshed at the level of changes they are required to achieve, so those still asking - what is GDPR? - really should take legal advice specific to their own business, to fully understand their responsibilities.

GDPR Summary

GDPR "to do" lists, inaccurate advice, and the misinterpretations of those unqualified on the subject, are rife across the internet. You can spend an age on the ICO website, read a biblical amount of information, or listen to those friends and acquaintances who seem to know everything, but still, you will be none the wiser. Below is a GDPR summary, a non-exhaustive list of the minimum requirements of small business GDPR compliance which applies to most SME, micro and home based businesses.

• You must have an Information Commissioner’s Office (ICO) licence before you process any data.
• You must undertake an audit and consider the data your business currently holds and decide whether you are holding it legally under one of the six new acceptable reasons for doing so.
• You must understand what a Subject Access Request (SAR) is, and how to legally respond to it.
• You must write a bespoke privacy policy for your business with a number of prescribed sections covering the way you deal with data.
• You must ensure all communication with prospects, both old and new, complies with the new regulation. This includes specific and recent consent if appropriate, renewed consent from old contacts, while ensureing the communication references your privacy policy, ICO licence number, etc.
• If you have staff, you must ensure your privacy policy covers your HR and payroll function.
• If either HR or payroll is outsourced to third party providers you must have compliant contracts with the supplier, and evidence that the supplier is compliant themselves.
  
• If you have a CCTV system, either inside or outside the premises you must have a written policy document, staff training and keep records to comply with the legislation.
• You must have an updating and future-proofing plan for the business going forward.

This GDPR summary is a lot to take on board and implement. In many cases there will be additional specifics, yet so many business owners continue to think GDPR doesn't affect them. However, non-compliance and not operating your business within the law, could be costly at any time in the future. So, if you are a small business owner wondering if and how GDPR affects you, the Small Business GDPR Consultant would strongly recommend you seek initial free GDPR legal advice as soon as possible.