Understanding the key points of GDPR: Data protection in the UK

As individuals, we share countless pieces of information online – from shopping habits to personal preferences – often without fully understanding how that data is being used.

Enter the General Data Protection Regulation (GDPR), a comprehensive framework of strict rules designed to protect our personal data and give us control over how it's processed.

Implemented across the UK (and the European Union) in 2018, GDPR has radically transformed the way businesses manage and protect sensitive information.

Understanding GDPR is essential for safeguarding your privacy. In this blog, we'll break down GDPR in simple terms, explain why it matters and tell you what to do to stay informed and protected in this data-driven age.

What is GDPR and why is it important for small businesses?

GDPR is a data protection law that came into effect in 2018 to safeguard the personal data of individuals in the EU and UK. For small businesses, it governs how you collect, store and use customer data, such as a person's name, address, email address and even IP address.

Why it matters

• Customer trust: Not keeping to the rules can risk harming your reputation and losing customers.

• Financial penalties: Businesses can face fines of up to £17.5 million or 4% of their yearly global turnover, whichever is greater.

• Business growth: Demonstrating that you follow GDPR can set you apart from competitors, especially in industries where customers are wary of sharing their personal details.

Key principles of GDPR every small business should know

Here are the six main areas of GDPR explained in simple terms:

1. Lawful processing

You must have a valid reason to process personal data. This can include the following:

• Contractual reasons: Processing the information is necessary for the contract that you have with them

• Legal obligations: There is a legal basis for you processing the data

• Vital interests: To protect someone's life

• Public task: Your processing activities are necessary for you to perform a task in the public interest

• Legitimate interests: Processing is necessary for your, or a third party's, legitimate purposes

You still need a good reason for personal data processing, but now you must be more transparent about why you're collecting people's data in the first place.

A perfect example is when you buy something from a website and they automatically tick the boxes that give them consent to use your email for marketing purposes. That isn't an option anymore.

As a business, you need people to opt in to receiving these things. But don't panic. If you already have an ongoing relationship with the person – i.e. they're already your customer – you don't need to get their consent all over again.

2. Transparency

You must tell individuals how you're using their data. You typically do this through a privacy notice on your website.

Many small businesses don't realise their existing privacy policies may be outdated or incomplete. If this applies to you, use templates from reputable sources to create a privacy policy that's tailored to what you do.

3. Individual rights

People have data protection rights such as:

• the right to access their data ("right of access")

• the right to have inaccurate data corrected ("right to rectification")

• the right to have their data deleted ("right to erasure")

• the right to ask you not to process their personal data ("right to restrict processing")

• the right to obtain and reuse their personal data for their own purposes across different services ("right to data portability")

• the right to object their personal data being processed in certain circumstances ("right to object")

Example: A customer asks you to delete their entire purchase history. You must comply unless there's a legitimate reason to retain it (for example, for tax purposes).

Employees' requests to see data

If an employee requests data from their file via what's known as a subject access request (for example 'I'd like copies of all of my performance reviews'), you used to be able to charge an administration fee of £10 to do this. You also had 40 days to complete the request.

GDPR has changed this by removing the fees and giving businesses less time to respond. You now only have 30 days.

In real terms, what this means is you need to review the process you've followed (or would follow, if you've never had one before) just to make sure that you can get the information to someone within 30 days.

'What happens if their request is complex?' you ask. Well, in these scenarios, let the person know within one month of receiving their request that there will be an extension to the timescale and exactly why. These scenarios are normally few and far between.

4. Data security

Under GDPR, you must safeguard personal data with appropriate security measures, such as encrypting files or securing passwords.

Unfortunately, many small businesses underestimate the potential risk of data breaches. Use affordable tools like password managers and basic encryption software to protect the data you hold.

5. Personal data breaches

If a data breach occurs, you must report it to the Information Commissioner's Office (ICO) within 72 hours if it poses a risk to individuals.

Example: A small marketing agency discovers someone has gained unauthorised access to customer data. They promptly inform the ICO and the clients who are affected, to demonstrate accountability.

6. Data protection officer (DPO)

Some businesses must appoint a DPO, particularly if they handle large volumes of personal data. For most small businesses, this isn't necessary, but assigning responsibility to a team member can make sure your processing has a lawful basis anyway.

This requirement would apply if, for example, you're carrying out large-scale processing of special categories of data, or processing data relating to criminal convictions or offences.

Practical steps to make sure you're complying with GDPR

1. Audit your data

• Identify what personal data you collect, how it's stored and who has access.

• Make sure you only collect data that's necessary for your operations.

2. Update your privacy notices

• Clearly explain in plain English how you use customers' data.

• Make your privacy notice easy for people to find on your website or point of sale.

3. Get consent properly

• Use opt-in checkboxes for marketing emails rather than pre-ticked boxes.

• Keep records of when and how consent was given.

4. Train your team

• Educate employees on GDPR principles, data protection practices and the importance of data security.

• Implement clear policies for handling data.

5. Secure your systems

• Use strong passwords and enable two-factor authentication (2FA).

• Regularly update software to protect against vulnerabilities.

6. Prepare for breaches

• Create a plan for responding to data breaches.

• Document incidents, even if they don't need to be reported to the ICO.

Key takeaways

Data protection is an integral part of running a modern business, no matter how small. By understanding GDPR and taking proactive steps to comply, you can protect your business while building trust with your customers.

Ready to get started? Follow the checklist above and consult the ICO website for further guidance tailored to small businesses. Keeping to the rules of GDPR might feel overwhelming at first, but with the right approach, it's entirely achievable – and beneficial for your business in the long run.

Keen to adopt tools to boost your productivity? Tech Hub can help you

Take a quick survey and receive personalised recommendations of tools you can use to become more productive and profitable. Go to Tech Hub now