The General Data Protection Regulation (GDPR) is a European Union law that protects the privacy and personal data of individuals in the EU and EEA. Small businesses handling personal data (like emails, names, or phone numbers) must follow GDPR rules.
Don’t worry—GDPR compliance is achievable with a few straightforward steps. This guide will help you understand what data you need to protect, the rules around data handling, and the steps to protect your business and your customers’ trust.
Key GDPR terminology small businesses need to know
As a company processing personal data, several key terms should be known and used in the GDPR. The most important ones are as follows:
| Personal Data | Any information related to a person (Data Subject in GDPR language) that can be used to directly or indirectly identify the person qualifies as personal data.
It can be anything related to the person: a name, a phone number, an e-mail address, a photo or a video, an address or location, the number of the bank account, a car registration plate, a social media account etc. |
| Data Controller | A person or a company that defines the purpose, means, and conditions of how personal data is being processed. |
| Data Processor | Processes personal data on behalf of the data controller and is usually an external entity from the data controller’s company. |
| Processing | Every action carried out with personal data, from collection to deletion or anonymisation. |
| Data Protection Officer (DPO) | The role of the data protection officer is to ensure that the organisation processes the personal data of its staff, customers, providers or any other individuals in compliance with the applicable data protection rules.
Data protection officers are responsible for overseeing a company’s data protection strategy and its implementation to ensure compliance with GDPR requirements. |
What GDPR Means for Your Small Business
GDPR compliance consists of several steps companies of every size must take. For example, establishing a legal basis for processing, putting in place processes for respecting data subject rights and, in case of a data breach, notifying the relevant authorities, documenting having asked for consent, appointing a DPO and having appropriate technical and organisational measures in place considering the risks.
It is also important to minimize the data processed and always have the purpose established for personal data processing.
Scope and applicability of GDPR to businesses outside the EU
In case the business is established outside the EU, it still has the obligation to comply with the GDPR if it processes the personal data of individuals residing in the European Union (EU) or the European Economic Area (EEA). Therefore, the GDPR has an extraterritorial scope, meaning it applies to non-EU businesses if they meet certain conditions stated in the GDPR.
Data Protection Principles under GDPR
GDPR lists several key principles that companies need to consider.
| Lawfulness, fairness and transparency | Personal data has to be processed lawfully, fairly and transparently. |
| Purpose limitation | Personal data processing has to have a purpose that is specified and legitimate. |
| Storage limitation | Personal data can only be kept as long as it is necessary for the purpose for which it was collected. |
| Data minimization | Personal data that is only necessary for the processing can be collected. |
| Accuracy | Personal data that is accurate and up to date can only be processed. |
| Accountability | The ability to demonstrate compliance with GDPR requirements with relevant documentation. |
Simple Steps to Protect Customer Data
Follow these steps to review and protect your business’s customer data.
Step 1: Identify What Data You Collect
Personal Data: List out the types of personal information you collect from customers (e.g., names, emails, addresses).
Sensitive Data: Check if you collect any sensitive or special data, such as health information, ethnicity, or religious beliefs, which require extra protection.
Example: A café owner collects customers’ email addresses to send them monthly newsletters about specials and events. This email address collection is considered “data processing” under GDPR because it involves the collection and storage of personal data.
Step 2: Map Out Your Data Sources and Flows
Identify Data Sources: Write down where you collect data (like online forms, customer surveys, or sales transactions).
Track Data Movement: Document how this data flows through your business—who accesses it, where it’s stored, and where it’s shared. This will help you understand how data moves through your systems.
Example: A small online store collects customer information at checkout, which includes names, addresses, and payment details. This data flows from the checkout system to a third-party payment processor.
Step 3: Document Why You Use This Data
Write down the purpose for each type of data you collect. This is important for transparency and shows why each data point is necessary for your business.
Keep Records: Create a log or use a tool to record all your data processing activities (this is known as a Records of Processing Activities, or ROPA, under GDPR).
Example: A salon collects client phone numbers and booking history to send appointment reminders. These details help keep track of clients but should only be used for this purpose unless the client agrees to receive additional marketing. The salon should have a simple internal note about why it collects each piece of information and make it clear to clients how their data will be used.
Step 4: Listing vendors and third-party data processors
If you share data with other companies (e.g., for marketing or analytics), list these vendors and verify they follow GDPR.
Data Agreements: Make sure you have agreements in place that cover data protection and security with any third-party processors.
Example: A personal trainer uses a booking app to manage appointments and process payments. Since this app collects personal data on behalf of the trainer, the trainer is responsible for ensuring that the app follows GDPR standards. The trainer should ask the booking app provider for a Data Processing Agreement to make sure client data is protected.
Step 5: Ensuring appropriate data security measures
Implement strong technical and organizational safeguards to keep data safe. This might include encryption, access controls, and regular security audits.
Example: An independent accountant stores client data on a laptop and a cloud service. To protect this data, the accountant encrypts sensitive files, uses strong passwords, and only allows specific people to access the information.
Step 6: Drafting relevant privacy documentation for accountability purposes
To demonstrate GDPR compliance, a company needs to have relevant documentation, including assessments drafted and up to date. Such documents can be privacy policies, privacy notices, data protection agreements, ROPAs, Data Protection Impact Assessments (DPIA), Legitimate Interest Assessments (LIA), data breach policies, consent records, data subject access request policies, List of Technical and Organisational Measures, cookie policies etc.
Example: A small boutique with an online store creates a privacy policy outlining what personal data is collected (like names and addresses), why it’s collected, and how it’s protected. Display the privacy policy prominently on the website so customers can easily understand how their data will be handled.
How to develop a privacy policy tailored to your business
A privacy policy that aligns with your company’s business operations and covers the GDPR requirements is essential for transparency in the data subjects and the general public.
Here are the key steps to develop one.
- Understanding your company’s data processing activities;
- Defining processing purpose, legal basis and data categories;
- Explaining how data is shared externally;
- Detailing data retention periods;
- Ensuring data subject rights;
- Listing security measures;
- Providing relevant contact details for individuals.
Managing data breaches: Preparation, response, and notification protocols
In case of a data breach, you need to inform the supervisory authority within 72 hours when the breach is found.
The notification has to consist of information about what was stolen or lost, how the data was protected (ex. pseudonymisation) and how the breach may affect the persons whose data it was (Data Subjects in GDPR language). When the breach is severe, and it may affect persons to a high degree, then the company needs to inform the possibly affected persons as well.
If the risk is unlikely, then you don’t have to report to the Supervising Authority, but you have to record the breach in your Breach Register.
The more detailed response plans and training conducted on a potential breach situation, the more seamless the incident management will be.
Explore how GDPR Register’s data breach management tools can help you seamlessly comply with data breach requirements listed in the GDPR here: https://www.gdprregister.eu/request-a-demo.
Rights of individuals (data subjects) under GDPR
- Right to be informed – Individuals have the right to be informed about how and why their personal data is being processed. Grounds for processing data are usually explained when asking for consent from the individual. The individual has a right to be informed after giving their consent, meaning that the company should be able to provide the individual with concise, intelligible, easily accessible, free of charge and clearly written information about the processing.
- Right of access – the individual has the right to access their stored personal data and receive a copy of it.
- Right to be forgotten – The right to be forgotten is an individual’s (data subject’s) right to demand companies to erase or anonymise their data (this is called “right to be forgotten” or “right for erasure” in GDPR terms).
According to GDPR, “The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have an obligation to erase personal data without undue delay.” “Undue delay” should be understood as the latest within one month of receipt of the request for erasure or receiving identity verification or a fee if such can be applied.
- Right to rectification – According to GDPR Article 16, the right to rectification means that the data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
The data controller should take reasonable steps to ensure that the data is accurate and to rectify the data if necessary. The controller should take into account the arguments and evidence provided by the data subject.
- Right to data portability – Right to data portability for a person means the possibility of obtaining his personal data from one service provider and reusing it at another for his own purposes in an easy and safe way. It allows one to get data from one IT environment in a structured, commonly used and machine-readable format and put that into another without affecting its usability (if technically possible).
- Right to object – the individual can object to their personal data being processed in case it was processed for direct marketing or legitimate interest purposes.
- Rights related to automated decision making and profiling – the individual has the right not to be subject to decisions solely made by automatic processing, including profiling.
- Right to submit a complaint to the data protection authority – in case the individual feels that their rights have been violated, the national data protection authority receives complaints to determine it.
Processes for responding to data subject access requests (DSARs)
Data subject access requests allow individuals to receive information about their personal data and several other actions.
The key concept to building a seamless DSAR process is establishing responsibilities internally, a clear request handling process and documentation folder, verifying the identity of the requester, reviewing the DSAR and locating relevant personal data, compiling the answer within the 30-day timeframe and providing the data to the data subject. All the communication with the individual must be documented as evidence for accountability purposes.
GDPR Compliance Checklist for Small Businesses
- Data mapping and records of processing activities;
- Actions based on specific legal bases;
- Rights of individuals;
- Accountability and governance;
- Security and breach prevention.
A more detailed compliance list for small businesses is provided here: https://www.gdprregister.eu/gdpr/gdpr-checklist-for-controllers/.
Common GDPR Myths and Misconceptions
As privacy is never black and white but rather grey to navigate, it is important to understand some myths and misconceptions around customer data protection. Despite the widespread impact, many small businesses still struggle with how to comply with GDPR requirements.
A common misconception is that small businesses do not need to comply. Compliance and its applicability do not relate to the company’s size but instead to what the company does and who it targets.
As there are several legal bases that are not so much covered in the mainstream media, it is a misconception that consent is the only legal basis. Indeed, it is a valid legal basis, but in total, there are six legal bases: consent, contract, legal obligation, vital interests, public task, and legitimate interests.
As achieving compliance is a hefty and time-consuming process, companies may think that once they get all compliance done, they are good forever. GDPR compliance is not a once-off exercise; it is an ongoing process. Keeping it up to date and reviewed will provide the company assurance that all relevant risks are managed when processing aspects evolve and change.
Media covers a lot of fine decisions issued to large companies. There may be an impression that small businesses won’t face penalties as DPAs only target big companies. That is a myth, as all businesses, regardless of their size, can face penalties.
Another misconception is that data breaches always result in fines. Many cases involve smaller fines, warnings, or corrective actions, especially for first-time offenders or minor infractions.
In addition, fines are not the only consequences of non-compliance. It can also be reputational damage, legal claims, restrictions to processing that can halt the business from generating revenue and even criminal proceedings.
Conclusion
The positive impact of GDPR compliance on customer trust and brand reputation can not be underestimated. Consumers have increased knowledge of their privacy rights and exercise their rights. It provides significant positive effects on trust and reputation. It fosters customer loyalty and respect for the brand’s business practices.
Therefore, GDPR compliance as a competitive advantage in the marketplace truly raises the bar. Customers are getting more selective about the businesses they engage with. Privacy and security truly are the future, and they showcase companies as forward-thinking.
Compliance with the General Data Protection Regulation is made simpler for organizations with the use of DPO software. Contact GDPR Register and we help you in your compliance journey. Book a demo call here: https://www.gdprregister.eu/request-a-demo.
FAQs – GDPR Small Business
What are the differences between the UK GDPR and the EU GDPR?
After Brexit and the UK’s departure from the EU, the UK implemented GDPR text in their national legislation with few significant modifications, such as changes in supervisory authorities, data transfers and data protection officer’s appointment mechanism.
What is considered sensitive personal data?
Sensitive personal data, also referred to as “special category data” under the GDPR, is considered, but is not limited to, the following categories:
- Racial or ethnic origin;
- Political opinions;
- Religious or philosophical beliefs;
- Trade union membership;
- Genetic data;
- Biometric data (for the purpose of uniquely identifying a natural person);
- Health data;
- Data concerning a person’s sex life or sexual orientation.
What is special category data covered in Article 9?
Special categories of data are defined and regulated under Article 9 in the GDPR and typically involve personal data related to identity, health, beliefs, or genetics. The types of data are considered more sensitive due to the fact that in case the data is revealed to the larger public or in the hands of bad actors, discrimination or other more serious consequences of harm may follow hence the stricter requirements on processing such kind of data.
What happens to non-compliant small businesses?
GDPR penalties make non-compliance an expensive mistake for any size of business. Potential consequences for businesses include fines up to €20 million or 4% of the company’s global annual turnover, whichever is higher. More on fines under the GDPR here: https://www.gdprregister.eu/gdpr/gdpr-fines/. There can also be restrictions on data processing, reputational damages, and legal actions.
What is the minimum size of a company that needs to comply with GDPR?
There is no minimum size requirement established for the companies. Any company, from a small startup to a large global enterprise, must comply with GDPR requirements if they target EU residents or offer services or products in the EU market.
