By now, you’ve probably heard about the new General Data Protection Regulation, otherwise known as GDPR, which came into force on 25th May.

GDPR is the law which sets the minimum standards for collecting and processing the personal information of individuals within the European Union (EU). Failing to comply with these standards could be very expensive for small business owners – namely, a fine of up to €20 million or 4% of your company’s annual turnover (whichever is higher).

In the worst-case scenarios, company directors can receive criminal convictions. That’s why we’ve created a checklist of five crucial GDPR points all small business owners need to consider.

1- Audit your data and then some

Whether you’re a data controller who determines how the data you own will be used, or a data processor who processes data on a controller’s behalf, it’s vital to keep an up-to-date record of the personal data you have. You also need to assess the following:

• What data do you hold?

• How did you obtain that data?

• Why do you hold that data?

• Have you received the correct authorisation to use that data?

• What do you plan to do with the data?

There a number of ways you can answer the above questions. Something as simple as putting together a questionnaire will help you (and potentially anyone working for you) keep on top of what personal data you hold, and where and why you hold it. If you employ staff, you should arrange regular meetings with the key business areas to establish how they use data and to make sure their records are up to date. What’s more, carrying out regular audits will make sure you only have relevant data which you’ve been given permission to use, and which is necessary for your business to complete its necessary tasks.

gdpr for small businesses

2- Appoint a data protection officer

Section 4 of GDPR stipulates that you must appoint a data protection officer (DPO) if you are:

• A public authority.

• A private sector data controller whose core activities consist of processing operations that require ‘regular and systematic monitoring of data subjects on a large scale’.

•A private sector data controller whose core activities consist of processing special categories of personal data – i.e. sensitive personal data under the UK DPA.

The role of a DPO is to monitor your business’ compliance with GDPR and ensure that your business is adequately protecting personal data.

Essentially, they are the watchdog of internal data processing and should provide any risk-based advice accordingly.

If you’re a sole trader, you’re not obliged to appoint a DPO, as this law only applies to public authorities or businesses that carry out certain types of processing activities. However, most organisations that handle personal data should designate someone to oversee GDPR compliance, even if they aren’t technically a DPO.

You can also outsource the role of DPO, but to do this you must gain assurance through interviews, presentations and questionnaires that the potential outsourced DPO has the professional skills and capabilities for the role. Although this sounds like a laborious process, there are advice pieces which guide you on the questions to ask when outsourcing a DPO.

gdpr for small businesses

3. Create a clear privacy policy

You’re still reading this article, which leads us to believe you have a vested interest in following GDPR best practice!

Another way in which you can do this is by putting together a concise and transparent privacy policy which is easy to access, so that your data subjects know what you’re doing with their personal information.

Your privacy policy needs to be actively communicated if you are collecting personal data. Any privacy policy you create should clearly explain the name and location of your business, what you are going to do with the information you own and who it will be shared with.

You can communicate your privacy policy in a number of ways – for instance, by providing an overview to someone on the phone, detailing it in writing through application forms and agreements, including it on your website or by emailing your customers – provided you have the relevant marketing consent.

However, marketing consent needs to be explicit and freely given, i.e. you should give your customers genuine choice and control over how you use their data. If they don’t have any real choice or are unable to refuse or withdraw consent without detriment then their consent is not freely given and you cannot use their data for marketing purposes.

If you have a company website, there should be a link to your privacy policy at every data collection point on said website. You should also include a cookie policy that reflects the cookies your website uses and the data you’re storing on each user.

What’s more, you should have a message informing users that your site uses cookies and exactly what it uses cookies for, plus giving them the option to either accept or reject cookies. Fortunately, there are a number of free tools to help you do this.

4. Have stringent security measures in place

Even by enforcing the most meticulous measures, all organisations are vulnerable to data breaches. However, you will give yourself the best chance of avoiding a breach by thoroughly reviewing your company’s technical and organisational security.

Technical security refers to the techniques used to prevent the theft of sensitive data and information, such as reviewing the quality of doors and locks, how you dispose of any paper and electronic waste and how you keep IT systems and equipment secure in order to prevent cyber attacks.

Organisational security measures, on the other hand, might include conducting an information risk assessment, or carrying out periodic checks to ensure that your security measures remain appropriate and up to date.

If you’re the victim of a data breach, article 33 of GDPR states that you must report this breach to the ICO within 72 hours of its discovery. Any breach notification needs to include the nature of the breach, the number of individuals concerned and an overview of the consequences.

You can also take measures to anonymise data, such as pseudonymisation and encryption.

gdpr for small businesses

5. Train your staff on GDPR

Instructing your employees to fulfil certain tasks in relation to GDPR can only give them so much of a grasp of it. To make sure they’re fully aware of GDPR and understand why it’s being introduced, you need to provide adequate training to your staff.

This could be in the form of a presentation explaining what GDPR covers, what it means for your business, what steps you’re taking to comply with the legislation and what happens next. But staff handling personal data such as those in call centre or IT teams will need specific training on the GDPR compliant procedures they must follow.

It may also be worth drawing out some examples, where possible, of exactly what is and isn’t compliant with GDPR!


The content of this web page is a commentary on the GDPR, as Ripe Insurance for Small Business interprets it, as of the date of publication. As a result, this content is provided for informational purposes only and should not be relied upon as legal advice or to determine how GDPR might apply to you and your organisation. We encourage you to work with a legally qualified professional to discuss GDPR, how it applies specifically to your organisation, and how best to ensure compliance.