GDPR and The Small Businesses — UK Legal
3 REASONS WHY DATA PROTECTION AND GDPR APPLIES TO SMALL BUSINESSES AND ORGANISATIONS
Broadly, data protection is about collecting and then using (processing) an individual’s personal information in a lawful way and keeping it safe and secure.
As a small business, it’s easy to think that data protection, let alone the new General Data Protection Regulation changes which are coming into play in May 2018, does not affect your business. Let’s look at 3 reasons how data is likely to be used in your business.
(1) I don’t collect any data that matters
Many micro businesses, for example, a business selling hand-made items through a Facebook group, believe that they don’t have to bother with data protection because they don’t collect any data that matters.
Data protection aims to protect personal data which is information from which an individual can be identified. This means, for example, if you store names and addresses to take and send orders, this information will identify an individual.
At a pinch, if you’re using that information purely to deal with fulfilling customer orders you might not need to be registered with the Information Commissioner’s Office (known as the ICO and the organisation who enforce data protection and will be the GDPR supervisory authority in the UK). However, it doesn’t mean that you don’t have to comply with data protection laws.
(2) I only use data when an individual consents
I love it when you attend a business function and there is a glass bowl that you can throw your business card (i.e. my personal data because it contains my contact details) into with the anticipation of winning something.
As a business, it’s a great way to get yourself noticed and to collect data for marketing. So, for example, you may want to encourage me to make a purchase by sending me an email with a discount code.
However, unless some specific exemptions apply, data protection means that if you want to use my personal data it must be for one of several lawful reasons. One of those reason is my consent so you may think that it’s OK to send me that discount code.
In these circumstances, it would be fair to say that when I throw my card in I’m giving my consent to you using my contact details to tell me that I’ve won, or not. However, according to data protection I have not consented to you using my personal data for anything else unless
- before I gave you my card you made it very clear that you would also be using my contact details for marketing purposes and
- I still agreed to let you have my card because I agreed that you could do this
As an aside, in these circumstances you also need to be aware of the Privacy and Electronic Communications Regulations 2003 which may relate to your marketing.
(3) I’m a small business — GDPR says it only applies to business that has 250 or more employees
In theory, you may be right. However, you’ll find that, the ICO will disagree.
That’s because whilst GDPR says it only applies to business that have 250 or more employees, GDPR will apply if
- your data processing activities are likely to result in a risk to the rights and freedoms of data subjects or
- your data processing is “not occasional” (i.e. you routinely deal with data processing) or
- your data processing is in relation to special categories which relate to criminal offences and convictions
Finally, remember that irrespective of anything else, as a business you should still properly maintain and control the information you store and process.