I don’t know about you, but one acronym that makes me nervous about operating a business in the UK is GDPR. It feels like a minefield of regulation and complexity that makes me want to stick my head in the sand.

But I’ve learned it’s not as bad as you’d think. That’s why I’ve partnered this week with Jenny Feneley, who helps small business owners ensure they’re compliant and up to date.

Enjoy!

Ensuring GDPR Compliance: A Small Business Owner’s Guide to Data Protection

So, you’re running your own small business—yay! But, no! Now you have customers and personal information like names, addresses, email addresses, and phone numbers, maybe even profile photos. You know you need to think about GDPR, but it’s all so complicated. Well, yes, it is, but lots of clever people have untangled it and provided guidance for people like us—small business owners with limited Personally Identifiable Information (PII) needs. Let’s break it down.

Handling PII

Information Commissioner’s Office

First up, pay the data protection fee to the Information Commissioner’s Office (ICO).

The ICO is the UK’s independent authority responsible for upholding information rights in the public interest. It promotes openness by public bodies (through things like the FOI) and data privacy for individuals (through things like SAR).

If you handle PII, you need to pay the data protection fee. Find out if you need to do this by filling in the ICO’s self-assessment form here. They provide advice for small businesses here, but keep reading for summarized guidance.

This is an annual fee, so you need to keep it up to date.

Lawful Basis for Processing

Unfortunately, perhaps for your marketing efforts, you can’t just search the internet using some whizzy AI tool and start sending out emails to consumers. You must have a ‘lawful basis for processing,’ such as consent from the individual (see the next point), a contractual necessity, or a legal obligation.

Transparency and Consent

Make sure you have a privacy policy on your website or apps. When collecting data, ensure that users can actively consent. Do you remember when all the websites changed from opt-out to opt-in? If you’re old enough like me! That was when GDPR regulations came in.

Data Minimization

Have you ever wondered why you have to give your birth date instead of just confirming you're over 18 on a web form? Me too! We are only allowed to collect data necessary for business operations. So, strip back those customer sign-up forms—it might improve the user experience too.

Security Measures

We often hear about personal information leaks from corporations and government agencies. Sadly, small business owners are not immune; in fact, we are often targeted because cybercriminals assume we have weaker security. Here are some cybersecurity tips:

• Implement a strong and unique password policy.
• Update your apps, software, and firmware regularly.
• Only download apps and software from official, trusted sources.
• Enable Multi-Factor Authentication (2FA) for all users.
• Conduct annual cybersecurity training and include it in employee onboarding.
• Educate your team about phishing and smishing threats.
• Backup your data to avoid losing vital information.

Retention

You can’t keep personal data forever—you can only keep it as long as required. Ideally, as you grow, you will create retention policies for your personal information records.

If you want to retain data for analytics, you can anonymize it.

Data Subject Rights

Your customers and employees have the right to access, correct, delete, and restrict the processing of their data. Ensure you can provide this information promptly when requested. You could even provide direct access via a secure portal.

Summary for Handling PII

• Lawful Basis for Processing: Ensure you have a valid reason for collecting and processing PII.
• Transparency and Consent: Clearly inform individuals about how their data will be used and obtain explicit consent.
• Data Minimization: Collect only the data you need for business operations.
• Security Measures: Implement strong security practices to protect PII.
• Data Subject Rights: Respect individuals' rights to access, correct, and delete their data.

What is Personally Identifiable Information (PII)?

PII includes any information that can be used to identify a person, either directly or indirectly. According to GDPR, examples of PII include:

• Name: Full name, initials, or even a pseudonym.
• Contact Information: Email addresses, phone numbers, and physical addresses.
• Identification Numbers: National ID numbers, passport numbers, and social security numbers.
• Online Identifiers: IP addresses, cookies, and device identifiers.
• Financial Information: Bank account details, credit card numbers, and transaction histories.
• Health Information: Medical records, health insurance details, and genetic data.
• Photographs and images: Profile photos could be used in reverse image searches.

Practical Steps for Small Business Owners

• Pay the ICO fee and renew it annually.
• Conduct a Data Audit to identify collected personal data and potential risks.
• Implement Security Measures as outlined above.
• Train Your Team on data protection and cybersecurity.
• Create a Data Breach Response Plan to quickly respond to incidents.
• Regularly Review and Update Policies to stay compliant with GDPR.
• Use trusted sources like the ICO to stay informed. Advice for small organisations | ICO

So that’s it…

Not too bad after all! If you want advice on how to demonstrate to your customers that you are serious about cybersecurity or explore our information security management training options, book a free 30-minute consultation with Collevo here.

Jenny Feneley