The Micro Business under Macro Legislation: Your Small Business and GDPR

Posted by Kimberly Carroll on Mar 8, 2018 5:25:24 PM
Kimberly Carroll
Find me on:


There is so much talk about the European Union’s new General Data Protection Regulation (GDPR), which will be introduced in May 2018. This legislation will firm up and strengthen the data privacy rights of an individual with an onus on all businesses and organisations located within the EU who are in possession of data on individuals to be GDPR-compliant.

Naturally, there is some scaremongering about the impending mandatory rules with reports of hefty fines for those found in breach. But GDPR is not a legislation set on catching out and penalising companies haphazardly. Instead, it is focused on the key need to protect and uphold an individual’s right to privacy and how their personal information is collated, processed and stored.

All businesses will be accountable for their own handling of personal information whether you have a micro, small, or medium business or you are part of a larger organisation. While the EU will impose a blanket compliance across all businesses from 25th May 2018, it is not aimed at saddling the local tradesperson, small food producer, coffee shop owner, or hair salon with the same set of rules and regulations as the multi-conglomerate global corporation. For example, the appointment of a Data Protection Officer (DPO), to monitor personal data privacy issues within a company applies only to public authorities, organisations handling large scale sensitive personal data and large scale systematic monitoring.

So, let’s ditch the confusion and ambiguity once and for all and concentrate on what GDPR means for the small business owner, as the EU intended.

One of the universal stipulations of GDPR legislation is how personal information is held. For the micro business this means getting to grips with how you manage and use personal information - i.e contact details for your customers, suppliers and employees. For the small business, this could be something as simple as scribbled contacts in a ledger – a handwritten record of details of individuals you deal with regularly or even on a one-off basis.

Or what about a customer database that collates the names of clients? Yep, this too is covered by GDPR and applies to the beauty therapist with client questionnaires or the small business with an automated text message for clients to alert them to offers or discounts. In short, all personal information on an individual – whether held on a database, as an email or postal address, as a text or somewhere in the cloud – is covered under GDPR.

The five Ws and one H are a good way to break down your business’s use of personal information:

Who is the individual you hold personal data on?

What is their relationship to your business – are they an employee, a supplier, client or a customer?

When was the information recorded?

Where was it recorded?

Why did you take and store the information?

How is the information stored?

When you have a clear idea about the information you hold and for who, you can start getting things in order to restructure the way this information is collected and saved.

Back to the automated messages we mentioned earlier. This kind of marketing can no longer work under the assumption that a customer is more than happy to hear about your 10% discount on a cut and colour or notification about a product /service offer. From May onwards, the customer must give you their permission that they are happy for you to keep their details for the specific purpose of direct communication and that goes for newsletters, greetings and text reminders.

Furthermore, you will need to provide evidence that they have given you permission and make it easy for them to withdraw their consent at any time.

A great place to discover where you stand on GDPR is the EU’s dedicated website which has myriad advice, resources and key information to help you on your way to a better understanding of the regulations.

In summary, here are some of the things you need to be aware of:

  • The enforcement date for GDPR is 25th of May 2018
  • Personal data is anything that can identify an individual whether that is a name, photo, email address, phone number, or bank details
  • Individuals have more control, with new and enhanced rights over their personal information
  • Every business, no matter how small needs to review how they get, record and manage consent over personal information for employees, customers, suppliers etc.

Practice makes perfect, so tackle GDPR now to avoid data protection issues in the future.