The practicalities of GDPR for small businesses

Posted by Sara Hawthorn

The General Data Protection Regulations (GDPR) is a hot topic and you might even be slightly panicked that you should know more about it.  Certainly a quick flick through my spam box asks me “Are you GDPR compliant?”, “Is your customer database ready for GDPR?” and inviting me to many, many courses on “GDPR compliance”.

Should I pay attention to GDPR?

If you are carrying out any type of marketing, even to your own clients, then the answer is a definite YES!

GDPR is bringing European law in line with the USA’s CAN-SPAM Act of 2003 which has far tighter legislation than our own existing Data Protection Act.  It’s a great idea as people will only receive marketing that they asked for.  They’ll also be able to easily unsubscribe from marketing communications when they no longer want to receive them.  Great for our inboxes, especially all the: “have you claimed PPI?” mails.

However, in tightening the legislation surrounding the handling of data, it will have a knock on effect for small businesses and how they market themselves.

The Information Commissioner’s Office have a number of helpful guides, self assesment quizzes, and blogs surrounding getting ready for GDPR compliance.

But firstly you need to check the following:

  • How did people sign up to receive your marketing?

It cannot be a pre-ticked box or assumed consent because they bought something from you.  People need to have actively subscribed and know they are receiving marketing communications from you – euphemisms such as “newsletter” or “information” should not be used on the sign up box!  If you have a list which has these types of sign ups on there, you need to resubscribe them before 18 May 2018  using the correct protocol.

  • Do you have proof of the sign ups?

For example, does your email marketing software require users to “double opt in” by filling in their email address and then clicking on a link within a confirmation email or do you have a copy of the sign up sheet they used to subscribe at a trade event?  If not, again resubscribing people via a compliant form before 18 May 2018 will be the best way of cleansing your list.

  • Is there an easy unsubscribe?

To comply with the GDPR legislation, there must be a link telling them who will hold the data, and how to unsubscribe from it on every communication.  Make sure your email address and mailing address is on each one as well as your registered Data Controller who will ultimately be in charge of processing the data held.

  • Who is responsible for the data?

You must tell people who is responsible for the data you hold and process – this person must be registered with ICO as a registered Data Controller.  Additionally data processors (in other words anyone dealing with the data) also have direct obligations to process data correctly – you cannot outsource this responsibility and neither can they say they were completing arms-length transactions, if you are processing data, you are responsible.

  • What data is held?

The GDPR places a duty on the Data Controller to only hold relevant personal data – in other words, if something is no longer needed, it should be destroyed in order to minimise the risk.  Got old client files lurking?  Time to clear them out!  The ICO’s definition of “personal data” is any data which identifies an individual or presents a security risk.  The GDPR legislation specifically requires that any information held regarding children under 13 have additional parental permission before being stored.

  • Where is your data held?

The exact wording on this is very vague, but on asking for further clarification from the ICO, they have confirmed that whilst it is preferable that all data is held within the EU, organisations can use non-EU data storage as long as you undertake a “suitable risk assessment”. If there is a complaint, you will be asked to produce evidence of the risk assessment you undertook before storing the data.  So it’s a good idea to look at where your data is stored and to ask for clarification on the security which it is held under.  This isn’t merely for your marketing lists, but also for personal data like client billing details (i.e. your accounts programme), back up storage, online work spaces, password logs, social media logins etc.

  • What is your procedure for reporting data breaches?

Should you (or one of your suppliers/data processors) have a data breach where “a personal data breach is likely to result in a risk to people’s rights and freedoms” you must report it to the ICO and the people affected by the data breach as soon as possible or within 72 hours of becoming aware of the breach.

  • How large is your organisation?

If you have over 250 employees, you will have to nominate a Data Protection Officer who is responsible for overseeing the Data Controllers and processing of any data within the organisation.

Still confused?  Take ICO’s GDPR self assessment quiz


GDPR for virtual assistantsCaroline has been a Virtual Assistant (VA) since 2004 helping small businesses to manage their admin on a freelance basis.  With a background in music and advertising, she worked in the creative industries for over 10 years, both in London and Glasgow. Trying to avoid wearing a suit every day, Caroline switched into entrepreneur mode and has never looked back.

Virtual assistance in the UK was a fledgling industry so she worked with a collection of VAs to educate the business community about virtual working which grew rapidly into the largest organisation for UK VAs, the Society of Virtual Assistants.

Caroline lives in Glasgow, with her husband Craig, their two young children and her crazy Burmese cat. Her mantra remains “I must wear jeans to the office”.

Caroline can be contacted here or found tweeting @VirtuallySorted