There are misconceptions on the internet that small businesses are exempt from the Data Protection Act 2018 (DPA) and the General Data Protection Regulations (GDPR), but this is simply not true even though some reliable digital sources say so. There are certain aspects of the laws that don’t apply to small businesses but any company, regardless of size, must comply with the DPA and/or GDPR when handling personal data. 

This article will discuss how the data protection laws can affect small businesses, looking at:

  • What is the Data Protection Act?
  • Why is data protection important?
  • Understanding your data and your role
  • How to manage data protection as a small business

What is the Data Protection Act?

The Data Protection Act 2018 is the UK’s update to The Data Protection Act 1998. It was updated to reflect the GDPR after it was implemented across European territories. It mirrors the GDPR legislation and is based on factors that allow individuals to have additional rights and access to how businesses, organisations and government bodies manage their personal information (data).

As a business owner, you are responsible for complying with ‘data protection principles’ set out by the Government. This means if you hold any personal information, you must ensure that:

  • You use the information fairly, lawfully and transparently.
  • Only use the data you have for specified, relevant and necessary purposes.
  • You are responsible for ensuring the information is accurate and kept up to date if necessary.
  • You keep the data for no longer than required.
  • You must handle the data in a way that ensures appropriate security and access to authorised individuals and prevent loss, destruction or damage.
  • You must allow an individual to have access to their record of data held by you, in a timely fashion, if they make a request (a subject access request, or SAR).
  • Honour an individual’s right ‘to be forgotten’, and you must delete the data you hold for that person.

As a small business owner, any personal data that you have collected — this could be data you have kept about customers, staff, colleagues (such as contact details or banking information) or suppliers (e.g., contracts with personal information) — must be handled with the utmost care and security, or you could face very large fines.

Why is data protection important?

It’s essential to think about the Data Protection Act when setting up your business so that you can consider any software options you may need or potential suppliers to store any data in a compliant way.

Data protection is important for individuals because it is designed to keep information safe, and gives them more rights to the information held on them by businesses or organisations. It ensures that individual data is only used for the purpose it was collected for. 

Data protection is also important for businesses because of the penalties and colossal fines associated with a data breach (a lapse in security, unauthorised access/sharing or using data for unconsented purposes). A breach can result in fines in the millions, prosecution and punishment that could result in a prison sentence. You can read in more detail about the penalties for failing to comply here

While the financial risk is huge, it could also cause damage to your businesses reputation and affect future trading.

Understanding data and your role

The DPA and GDPR refer to data ‘controllers’ and ‘processors’. 

Controllers make decisions about processing activities. They have overall control of the personal data being processed and are responsible for the processing.

Processors act on behalf of, and on the instructions of the controller.

In some circumstances, you may be both the controller and the processor. For example, if you’re a self-employed writer, you may keep a spreadsheet of customer contact details, including if they have paid their invoice or not. In this case, you both update the records and decide how you use them, making you both the controller and the processor.

Another example, you may be a tradesman who uses a phone app to store client contact details. This would make you the controller as you decide how the data is used, and the third party app would be the processor as they are storing and maintaining protection of the data. 

How to manage data protection as a small business

Under UK law an organisation must appoint a Data Protection Officer (DPO, an individual who oversees all processing decisions and management of data) if you are:

  • A public authority or governing body.
  • Your business activities include monitoring individuals (such as online behaviour tracking).
  • Or your businesses main purpose is large scale data processing within certain categories (such as health record information or criminal convictions).

You can find out more here about whether your company needs a DPO. Even if you don’t need to appoint an individual for this job, data protection is a very serious task and you should spend time educating yourself to understand how to be compliant in your business. 

The Information Commissioner’s Office (ICO) is the regulatory body for the GDPR and DPA laws, and they have detailed guides and checklists to help you ensure your compliance. Here are some steps you can take to get started.

Existing data

A good place to start when considering how the Data Protection Act affects your small business is to look at lists. Do you keep a list of clients or suppliers? You may even have a marketing or newsletter email list. Perhaps you kept details of employees or freelancers you employed to support you when starting up your business. First consider what this data is (what details do you hold, is it names, addresses, banking information?), how long you’ve had it in your possession and if you might need it again.

If these lists could include personal information (such as contact and banking details) then all of this data must be protected. Try to keep as few paper records as possible to ensure that your compliance is not compromised by an unorganised or open drawer filing system. 

Storing data

Then start considering what software you could use to store existing data, if you need to keep it. A good example would be email marketing databases, such as Mailchimp or Hubspot. They have DPA practices in place that allow you to store your contacts in a compliant and encrypted database, where you act as the controller and they as the processor. 

Collecting data lawfully

Then you need to consider how you collect information. You need to establish whether you have a lawful reason to collect the data. In many cases, the reason may be that you are providing value to the customer, by showing them offers or insightful content that will help them — you can use the lawful basis guidance tool from the ICO to help you with establishing your lawful basis for collecting and holding data.

Next, if you have a contact form on your website, ensure that you have a box clarifying what the collected information will be used for. A common example seen on a lot of websites is: ‘Please tick this box if you’d like to receive marketing communications from our company, including sales notifications, special offers and newsletters’. 

This statement is key to the ‘consent’ part of the Data Protection Act, and protects the data being used for other purposes than what you originally collected it for. You can find some good examples of consent here.

Registering as a data controller

Once you have a good understanding of the data you hold and how you will manage it, you may need to register with the ICO and pay a Data Protection fee. Both registered companies and sole traders may have to pay the fee to the regulator if the business processes personal information, and you can use their online self-assessment to see whether or not your business needs to be registered with the ICO. It is the law to pay the fee, unless you are exempt (which the self-assessment will tell you), and it could also build trust with your customers as you are publicly showing that your business is serious about protecting the data of your users.

Managing your business responsibilities with Countingup

Hopefully, this guide has shown you how the Data Protection Act may affect your small business. Always check government guidelines and seek legal advice to ensure your compliance. 

Countingup could help you get a handle on the other responsibilities you have as a small business owner, by making your bookkeeping simple to manage.

Countingup is the business current account and accounting software in one app that’s helping thousands of business owners across the UK. It automates time consuming financial admin so that you can focus on running your business. With instant invoicing, automatic expense categorisation and cash flow insights, you can confidently keep on top of your business finances everyday.

Find out more here and try it out today.

Related Resources

Read more