Step-by-step guide to GDPR for SMEs

As consumers we are all used to being asked permission for our data to be used/stored/processed. In today’s mainly digital age this permission is generally sought during an online transaction, when signing up to a newsletter for a discount, requesting information or entering a competition.?

So, naturally, as a small business you are likely to be dealing with people’s personal data on a regular basis.? This can be anyone from a client to an employee or prospect.? As an SME owner you will need to understand your responsibilities in relation to data protection.?

GDPR and DPA?

The DPA (Data Protection Act 2018) is the implementation of the UK General Data Protection Regulation, otherwise known as GDPR.? This legislation was created to protect an individual’s right to privacy and understand what is being done with their personal data or information.? The GDPR-UK is upheld by the Information Commissioner’s Office.?

Breaches of these regulations can result in significant fines, so it is advisable to get to grips with what is required for your business and how you can avoid failing to comply.? We have created this step-by-step guide to GDPR for SMEs.?

Step one 1: Understand GDPR and DPA and how they impact SMEs??

Data collection is governed by the UK GDPR and DPA, regardless of whether the data is stored in a spreadsheet, on your computer, mobile phone, or in the cloud. Neither manual nor automated collection is exempt from the GDPR and DPA. These regulations have been created to give people more control over their personal data and better regulate how businesses manage that data.?It is your responsibility, as a business owner, to be aware of how these regulations might affect your company.?Your employees should also understand the role they play in ensuring compliance.?

If you are processing personal data you must register with the ICO – Information Commissioner’s Office who are the UK Regulator.?

Step 2: Identify the data controller and the data processor?

?Data controllers make decisions about how it is used. The data processor collects and/or analyses data for the data controller. For example, when SMEs pay salaries to employees through a payroll handling company, SMEs act as the controller and the payroll company as the processor. The controller should ensure the data processor keeps records of their compliance in taking the data, even after it's handed over.??It is important that you have a data privacy notice for your employees and consultants to allow you to collect this data. Please talk to Farringford Legal if you don’t have one and we can provide this for you.?

The ICO has very detailed documents which will help you identify the role you may have in GDPR.?

Step 3: Design a system to protect privacy??

Before you start collecting any data, you'll need to put the processes in place to safeguard it. Simply put, you must guarantee that data is appropriately protected, which means that you should consider encrypting any database that will hold your clients' data rather than merely password protecting it.?

Step 4:? Draft your privacy policy and data protection policies and display appropriately?

You will need a privacy policy which is an external document, usually found on a company’s website. This should explain how you collect data, how you store it and what you do and don’t do with it, along with how they can access it and have it removed.??

You will also need an internal document, known as a data protection policy, which tells everyone within your business what to do with the data which is collected, how to process it, store it and respond to requests for access to the data.?

Think of it as two sides of the same coin.??

Farringford Legal’s highly experienced team are on hand to draft your policies . ?

Step 5: Start to document all personal data your business owns

Personal data is defined as information about individuals that can be used to identify them.? It includes name, address, postcode, email address, phone number, voice/image and Sensitive personal data including political views, religious or philosophical beliefs, trade union membership, genetic information, biometric data, and sexual orientation.??

You must document all instances of personal data collection. This is a requirement under the regulations; you will need to complete Record of Processing Activities (ROPA).? You can find templates on the ICO website. Every piece of data a business holds has to be archived and recorded, including where it originated from and how it is used.??The person who has provided their data is known as the data subject.?

Step 6: Ensure you have a lawful basis to process data?

Before you start processing personal data you need to ensure you have a legal basis for doing so.? There are six lawful bases for processing data of which you must be able to demonstrate your actions fulfil at least one.?

The six bases are:?

• Consent?
• Contract?
• Legal obligation?
• Vital interests?
• Public task?
• Legitimate interest?

More details on each can be found on the ICO website. ?

Step 7: Get required consent?

As a small business, there is a high chance you will be looking to collect data for marketing purposes.? When doing so, remember that the data subject needs to provide explicit permission for you to hold and act on their data. That means no agreements are hidden within other requests. You must explain why you need personal data and obtain their consent to process sensitive personal information. Consumers have the right to object to marketing and to withdraw consent for you to use their data.?

The ICO has advice on how you go about obtaining consent .? You should regularly audit your processes to ensure compliance. ?

Step 8: Oversight of the process??

Always bear in mind that as data controller, if you allocate data processing to a third party it is your responsibility to ensure they are acting in a compliant manner. For example, if you use an online newsletter application, they are processing data on your behalf and you need to ensure they are fully compliant. You will need to conduct due diligence on their processes to ensure they are also compliant with their obligations.?

Step 9: Outsourcing of data handling??

If you employ an external data processor for any purpose, you should review the data management re-appropriation agreements to ensure compliance. We would recommend these are personalised which is not always the case. These agreements must be in accordance with the GDPR. The team at Farringford Legal work with businesses to review and draft these bespoke documents.?

Step 10: Decide if you need a Data Protection Officer (DPO)?

Unless you are involved in systematic data monitoring or processing personal data on a significant scale, you are not obliged to appoint a Data Protection Officer (DPO) if you employ less than 250 employees. You can engage an independent DPO to check that your business follows the rules.?

Step 11: Access and control??

The GDPR states that the data subject has the right to control over their data, including the right to have their personal data deleted, receive and reuse their data, and securely move, copy, or transfer their data. You'll need a system in place so that any customers, workers, or contractors know whom to contact to access their information, evaluate it properly, and let you know if they want it erased.??

Furthermore, everyone has the right to see any personal information that is being stored by any organisation. According to GDPR, an organisation must respond to a request for this within one month of receiving it. This kind of request should only be made in extraordinary circumstances.?

Stage 12: Notification of a breach?

Big data breaches often make the news, with fines in the tens of millions being issued for the most serious, but smaller breaches are dealt with in much lower-profile ways.?

Any breach of GDPR should be reported to the data subject and the mistake put right.? This would cover basic errors such as allowing a contractor access to your data or an employee misplacing a laptop.?

Certain breaches need to be reported to the ICO for investigation .? These tend to be where a breach may risk the rights and freedoms of the data subjects.???

Stage 13: Educate your staff?

We would advise your teams to have regular and robust training around the responsibilities of the business and their employees in relation to GDPR compliance.?

Once you can get your head around these key steps, you will have the basics in place and be well-placed to deal with whatever data protection might throw at you.

A final thought - Suppliers and the explosion of AI

Ensuring that contracts with suppliers who process data on your behalf are current and comprehensive is essential. Conducting due diligence, such as audits, to verify their adherence to secure data handling practices is advisable. ?

With the rise of AI and the new EU AI Act coming into force conducting due diligence on any AI tools you are using should be treated as critical, and this means also ensuring your suppliers are also compliant if they are using AI in the processes of managing your relationship.?

Farringford Lega l is a partner for growth, providing affordable, expert legal services with a client-centric, entrepreneurial approach. We are not just lawyers; we are allies in your business journey, adapting as your business evolves, deeply trustworthy, always responsive.

www.farringfordlegal.co.uk ?| ?[email protected] ?| ?020 8941 7324 ?

This article is for general information only and does not constitute legal or professional advice. Please note that the law may have changed since this article was published ?