Data Protection for Small Businesses

image of small plant growing in somebodys hands

In 2019, GDPR.EU asked over 700 small business leaders in Europe about their GDPR compliance levels. The answers suggest there are gaps in data protection among small businesses. Only around half of respondents stated that they ‘completely agree’ with the following statements:

My organisation describes its data processing activities in clear, plain language to data subjects


We always obtain consent or determine a lawful basis before processing personal data

You can see the full survey results here.

Working out your route to compliance with the UK-GDPR and Data Protection Act 2018 can be difficult. This is particularly true when you’re running a small business. There are many other time pressures and activities that you feel might take priority.

However, compliance with the GDPR is a legal requirement and should not be ignored. Being compliant extends further than simply having a privacy notice and cookie banner on your website.

We’ve put together this short list of helpful things to consider when approaching data protection for small businesses.

Customer Trust

Very often, compliance with data protection legislation is something that we know we need to do. However, this is often without really being sure of what needs to be protected, and why. That needs to be established before we can move on to the how.

Ultimately, one of the main reasons you might be looking to ensure data handled by your business is protected, is to ensure your customers, clients, and partners have trust in you.

The ICO have a SME Web Hub on their website which covers everything from the basics to the technical detail; including some information on the benefits of the data protection laws.

Being able to demonstrate solid data protection practices, allowing individuals to select their preferences, and showing a good level of compliance can all elevate trust from your customers. But just as easily as that trust can be gained, it can slip away again in the event of breaches, for example. Knowing how to deal with potential breaches is just as important as knowing your day to day data protection processes.

Marketing Activity

Any marketing activity you undertake needs to be compliant. This includes everything from directly contacting potential customers, collecting data through focus groups and surveys, email marketing, to your online presence. You’ll also need to consider the PECR.

We’ve recently put together this short article on cookies and similar technologies. Your website will need to have a privacy notice and a cookie notice to let visitors know what you collect, why, and how long you keep it for.

Visitors to your website need to be able to understand the notices, so they need to be simple, and opt-out options need to be clearly marked.

As per the ICO website:

“You will often need a person’s consent before you can send them a marketing message. If you do need consent, then – to be valid – consent must be knowingly and freely given, clear and specific. It must cover both your particular organisation and the type of communication you want to use (eg call, automated call, fax, email, text). It must involve some form of very clear positive action – for example, ticking a box, clicking an icon, or sending an email – and the person must fully understand that they are giving you consent.”

 If you want more information on legal responsibilities when it comes to marketing activity, you can sign up for our autumn course covering the essentials.

Lawful Basis 

Any organisation or individual that processes data must have a lawful basis on which to do so. Your website’s privacy notice should include a statement of which basis you are relying on.

There are six different lawful bases for processing:

  1. Consent – you have been given clear consent by the individual
  2. Contract – the processing is necessary for an existing or future contractual agreement
  3. Legal obligation – the processing is necessary to comply with the law
  4. Vital Interests – processing the data is necessary to protect somebody’s life
  5. Public task – in order to perform a task in the public interest or for your official functions
  6. Legitimate interests – either yours or that of a third party, unless there is a good cause to protect the data which overrides the legitimate interest.

It’s important to remember that while the rights available depend on the basis for processing, an individual always has the right to object to processing related to direct marketing.

Not simple, but necessary

Data protection for small businesses isn’t simple, but it is completely necessary – and it doesn’t have to be just another checkbox.  We offer several courses in data protection, including a Data Protection and Recruitment course. Check out our upcoming schedule for the different courses we offer.

If you’re unsure of the compliance of your business, or you’re after some refresher trainingget in touch with us and we’d be happy to discuss this with you.

related posts

Get a Free Consultation