Don't get burnt by GDPR: data protection for small businesses

As a small business owner, you’ll naturally end up acquiring lots of different kinds of data from your customers, from email addresses and phone numbers to online ‘cookies’ and IP addresses. It’s your responsibility to keep all of this data safe, both to respect your customers’ privacy, and to comply with UK data protection legislation.

One of the most important regulations for your small business to be aware of is the General Data Protection Regulation (GDPR), an EU law implemented in 2018. GDPR was introduced to give individuals greater control over any of their personal data that might be held by third parties and it’s vital that all businesses are aware of their GDPR responsibilities.

This practical guide aims to help you make sure your small business complies with current data protection legislation. We’ll cover your obligations under GDPR and provide you with best practice tips to make the process as easy as possible.

Legislation aside - why is data protection important?

As a business owner, you’re legally required to keep the data you collect secure but it also makes great business sense to do so. In addition to mitigating the risk of receiving a data protection-related fine, putting proper processes in place around the data you store could give you a greater sense of control in your business. What’s more, customers may notice your efforts and appreciate how seriously you take the protection of their data.

Data protection might be a compliance obligation but it can also present an opportunity to get your business organised and build customer trust.

Your obligations under GDPR

Since it was implemented in 2018, GDPR has had wide-reaching implications for the way companies store data. As well as improving the rights that EU citizens have over their personal data, it has also transformed the way companies use that data to carry out sales and marketing activities. The UK government’s Data Protection Act 2018 ensures that the rules of GDPR will still apply in the event of the UK leaving the EU, so compliance will continue to be vital for UK businesses regardless of the outcome of Brexit negotiations.

As a small business owner, you control the data you gather and under Article 4 of GDPR you are considered a ‘data controller’. This is defined as “a natural or legal person, which alone or jointly with others, determines the purposes and means of personal data processing.” This might sound confusing but, in essence, being a data controller simply means that you are responsible for managing your customers’ data.

Here’s a breakdown of the obligations of data controllers:

  • All the data you hold must comply with data quality principles (Article 6 of GDPR). As well as ensuring you have the correct legal basis to process personal data, you must also ensure that it is accurate. Think about the data you gather through your website (if you have one) as well as any other business activities that involve gathering data, such as storing customer contact details. These must be regularly checked for accuracy.
  • If you appoint a data processor, you must have a binding contract with them to limit their use of that data (Article 17, section 2 and 3). If you use accounting software like FreeAgent or the services of a third party such as a marketing agency, you need to have a written contract with them (which can be electronic) that details the limitations on the use of the data that they control. For example, if your marketing agency has your customer’s addresses, that doesn’t necessarily mean you’d like them to have the power to contact them whenever they please.
  • Data protection “by design and by default” (Article 25). Businesses are required to integrate the principles of GDPR into their processes in every way, so if you’re implementing any new systems, make sure they’re in line with GDPR from an early stage.
  • Appropriate technical security measures must be implemented (Article 32). By implementing appropriate security measures, such as secure passwords or 2-Step Verification, you are taking effective action in securing the data you hold. You can learn more about how to keep your data secure in our small business cyber security guide.
  • The obligation to report data breaches (Article 33). If your business suffers a data breach, you must report it. Examples of data breaches could include a sensitive email being sent to the wrong person, hackers gaining access to your systems or an unauthorised download of confidential data by an employee. In the UK, you need to report data breaches to the Information Commissioner's Office (ICO).

Approaches you could take to support GDPR compliance

Whether you’re reviewing your existing data protection processes or creating a new process from scratch, consider implementing some of these best practice approaches:

  • Don’t collect more data than you have to. When you’re gathering customer information or employee data, consider whether it’s vital that your business collects this information. For example, if you have a query form on your website, consider how many fields of data you really need to collect.
  • Always ensure that customer consent is explicit. It’s always best to be transparent about the customer data that you hold and how you use it. One of the best ways to ensure that your customers know what data you hold is by obtaining their explicit consent for data storage, making sure that it’s not “merely implied.” For example, you’ll notice that pop-up messages on websites will explicitly ask you for consent to track your activity.
  • Carry out regular audits and reviews. Compliance is not a one-off job; it’s a continuous process. Set time aside each year to review the data you hold and evaluate the security of your systems. You might want to consider hiring external consultants to complete these security audits for you if you need some extra expertise.
  • Signing up to the data protection register. As a small business owner, it’s likely that you collect personal data, such as your customers’ contact details or the personal information of any employees you might have. If this is the case, and even if you only process this data occasionally, you probably still need to sign up to the data protection register. The data protection register is run by the ICO and is a searchable online list of all UK businesses with data protection obligations. To find out if you need to register, how much you might need to pay and if you might meet any of the exemption criteria, the ICO has a handy self-assessment questionnaire.

Keeping things fresh: how to maintain good data hygiene

In order to meet the requirements of GDPR compliance, it’s important to maintain good data hygiene. ‘Clean’ data is accurate and secure, whereas ‘unclean’ data is compromised or inaccurate and storing it could lead you into some serious difficulties.

To keep your data spick and span, we suggest that you carry out the following checks on a regular basis:

  • Make backups of your data. There are lots of ways that you could lose the information that you store. Your digital files could become corrupted or you could lose your files in a cyber security incident like a ransomware attack. Luckily, however, there are plenty of cloud services and IT providers that can help you back up your data. Even using a simple external drive to back up your critical data would provide an additional degree of security and peace of mind.
  • Keep your software and mobile apps up to date. Although the majority of software updates are about making adjustments or adding new features to a product, there are also a great many that include security updates. With an ever-changing landscape of cyber scams, updating your software is crucial to keeping data safe online.
  • Invest in security training for you and your staff. Many online threats arise from cyber criminals attempting to trick you and your staff into taking unsafe actions. Phishing scams bait users into clicking deceptive links and entering sensitive information, whereas malware can enter your system when users are tricked into downloading suspicious online programs. Familiarising yourself with the basics of cyber security can really help you avoid falling foul of these types of threats. You might also want to consider investing in regular cyber security training for your staff to keep everyone’s knowledge and awareness up to date.

We hope that this guide has given you a better understanding of data protection best practice and that you can now determine what changes your business might need to make to become GDPR-compliant. When it comes to something as complex as accounting, data security is more crucial than ever. Find out how FreeAgent can help you keep all your financial data organised and secure.

Are you an accountant or bookkeeper?

Find out more about FreeAgent for your practice.