Menu Close


Small Businesses & the GDPR – Do They Have To Bother?

We Have Heard Of Many Stories On Social Media That Small Businesses Don’t Have To Bother With GDPR

Most Of This “Barrack Room” Advice Is Wrong!

So we have put together some FAQ’s 

What is the GDPR?
The General Data Protection Regulation is a new, European-wide law that replaces the Data Protection Act 1998 in the UK. It places greater obligations on how organisations handle personal data. It comes into effect on 25 May 2018.
My firm employs fewer than 250 people. Am I exempt from the GDPR?
You’ll have to comply with the GDPR regardless of your size, if you process personal data. If you employee staff, provide a service to the public or sell goods, you will likely fall under the UK Data Protection Act 2018 – our embodyment of the GDPR.
What information does the GDPR apply to?
The GDPR applies to ‘personal data’, which means any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier. You can find more detail in the key definitions section of our Guide to the GDPR.
Does the GDPR only apply to EU organisations?
The GDPR applies to processing carried out by organisations operating within the EU. It also applies to organisations outside the EU that offer goods or services to individuals in the EU.
Size is a factor in a range of areas including the requirement to maintain records of processing.
How do we know if we’re a processor or controller?
A controller determines the purposes and means of processing personal data. A controller stores data (contact details, bank payment details, etc)
A processor is responsible for processing personal data on behalf of a controller. (Aweber, Infusionsoft, Mailchimp, Sage, Quickbooks, other apps)
If you are a processor, the GDPR places specific legal obligations on you; for example, you are required to maintain records of personal data and processing activities. You will have legal liability if you are responsible for a breach.
However, if you are a controller, you are not relieved of your obligations where a processor is involved – the GDPR places further obligations on you to ensure your contracts with processors comply with the GDPR.
Ask us for details if you are unsure.
Do I need to appoint a data protection officer (DPO)?
Under the GDPR, you must appoint a DPO in certain circumstances.
Ask us for details if you are unsure.
Can I have specific guidance for my sector?
Guidance focuses on the general application of the GDPR.
What are the rules under the GDPR for subject access requests?
The right of access under the GDPR contains important differences around fees, time limits, refusals, electronic format, refining requests and method of access.
Can you help me decide what to include in my privacy notice?
The GDPR sets out the information that you should supply and when individuals should be informed. We can provide you with a Privacy Notice for both customers and employees.
The information you supply about the processing of personal data must be:

  • concise, transparent, intelligible and easily accessible;
  • written in clear and plain language, particularly if addressed to a child; and
  • free of charge.

What are your criteria for issuing monetary penalties?
Heavy fines for serious breaches reflect just how important personal data is in a 21st century world.
DO NOT BE INTIMIDATED BY THREATS, BUT BE AWARE THAT: There are certain criteria that need to be assessed before imposing a fine, many of which are similar to those the ICO would consider when determining whether to impose a penalty under the previous DPA, such as: the number of people affected, any damage to the data subjects, the negligent or intentional nature of the infringement and action taken by the data controller to mitigate the damage.
However, the GDPR has introduced some new criteria, such as:

  • The controller’s adherence to codes of conduct and approved certification mechanisms
  • The extent to which the data controller notified the supervisory authority of the infringement and co-operated with it.

As well as fines the ICO will have other tools to help them change the behaviour of organisations such as warnings, reprimands or corrective orders. They have and more likely always will exercise their powers proportionately and judiciously.
Do I always need consent?
In short, no. Consent is one lawful basis for processing, but there are five others. Consent won’t always be the easiest or most appropriate. Article 6 explains what is needed. Ask us for details if you are unsure.
You should always choose the lawful basis that most closely reflects the true nature of your relationship with the individual and the purpose of the processing. If consent is difficult, this is often because another lawful basis is more appropriate, so you should consider the alternatives.
It’s your responsibility to identify a lawful basis for processing under the GDPR. Ask us for details if you are unsure.
Is parental consent always required when collecting or processing children’s personal data?
The GDPR contains new provisions intended to enhance the protection of children’s personal data, in particular, privacy notices and parental consent for online services offered to children.
Article 8 imposes conditions on children’s consent, but it does not require parental consent in every case. Other lawful bases may still be available. Article 8 only applies when the controller is:

  • offering information society services (ISS) directly to children; and
  • wishes to rely on consent as its basis for processing.

So if an ISS is actually intended for parents to use, or if the controller is relying on a different lawful basis such as legitimate interests, then Article 8 won’t apply.
When does the right to data portability apply?
The right to data portability only applies:

  • to personal data an individual has provided to a controller;
  • where the processing is based on the individual’s consent or for the performance of a contract; and
  • when processing is carried out by automated means.

What is large-scale processing?
The GDPR does not define what constitutes large-scale processing. However, processing may be on a large scale where it involves a wide range or large volume of personal data, where it takes place over a large geographical area, where a large number of people are affected, or it is extensive or has long-lasting effects. In many cases it is unlikely that small organisations will be processing on a large scale processing.
I want to know more about the rules on security under the GDPR
The GDPR requires personal data to be processed in a manner that ensures its security. This includes protection against unauthorised or unlawful processing and against accidental loss, destruction or damage. It requires that appropriate technical or organisational measures are used.
Does my organisation need to register under the GDPR?
If you needed to register under the Data Protection Act 1998, then you will probably need to register, and pay a relevant fee, under the Data Protection (Charges and Information) Regulations 2018.
The new Regulations will came into force on 25 May 2018. This doesn’t mean that everyone has to re-register and pay the new fee on that date. Data controllers who have a current registration (or notification) under the 1998 Act, do not have to re-register or pay the new fee until that registration has expired. Ask us for details if you are unsure.

Contact us on 0207 097 1434 or email

You May Also Be Interested In this Post – 

Small Business GDPR Audit


Recent Enquiry