Small Business GDPR Help

Micro & Small Business GDPR Help & Guidance on what you need to do

Published by: Jamie King | Date Published: 14th May 2018 | Last Modified: 14th May 2018

The new GDPR, General Data Protection Regulations come into force on May 25th 2018. While the subject is all the rage right now and it's scope is wider than the English channel, what does it mean for small business, micro businesses and sole traders? If your after small business GDPR help and guidance, then let me point you in a few directions on what you need to do for your small business.

The reality for small business is the GDPR still applies to them, though many elements may not apply or may need a 'small business' point of view to better understand their meaning and requirements. On the surface you need to update your website privacy policy notice, with your GDPR compliance information, but there may be others things you need to do.

The ICO, Information Commissioner's Office has a bunch of fantastic tools in helping you get GDPR compliant so we will take a look at those. I will bring your attention to some of the main things you need to do for your small business & GDPR. If you need professional advice about the GDPR and your business I suggest you seek professional legal advice.

  1. Step 1: Do a data protection self assessment

    Use this free online Data protection self assessment toolset to ensure your business is ready for all the GDPR changes and obligations. This toolset comprises of a few online quiz checklists to help you define what you need to do and the information you need to gather / document.

    This toolset may ask if you need to do an information audit, to define what personal data you hold, process and manage. Basically this is an audit of what personal information comes into your business, how its processed and handled when it gets there and if it exports out of your business at all (i.e. is shared with anyone else).

  2. Step 2: Get your internal business ready

    Once you define your GDPR compliance requirements you will need to make any adjustments to your business practices. This will be different for every business, so use the self assessment tool to highlight what you need to look at.

  3. Step 3: Do you employ less than 250 staff members?

    If so, you are exempt from record-keeping obligations of the GDPR, unless you process criminal convictions, offence data or special category data - processing is likely to result in a risk to the rights and freedoms of individuals - or processing is not occasional (i.e. are more than just a one-off occurrence). Read more here from the ICO.

    This question helps you define what your record keeping obligations are.

  4. Step 4: What is your Lawful Basis for processing data?

    This is generally one of the main points you need to explain in your privacy policy notice. You have to explain to users which lawful basis you use, for each processing activity you do. So you may have a few lawful bases for different types of data processing, such as providing a customer with a quote and sending someone a marketing email message may very well have two different types of lawful bases.

    Use this Lawful basis interactive guidance tool to figure out your bases to use. Its free to use and is provided by the ICO.

    Once you know your lawful bases, you will also need to explain in your privacy notice why you use that lawful basis, the different ways you process personal data under that basis, your data retention period for that data and if you share that information with third parties and if so whom. So make a note of each of those for each legal basis you will use.

  5. Step 5: Do you need to pay the ICO a Data Protection Fee?

    Do you need to pay and register with the ICO a Data Protection Fee? If your not sure, do this online self assessment quiz and it will tell you if your required to register or if your exempt.

    If you are exempt you may want to add a small statement to your privacy notice explaining your exemption position.

  6. Step 5: Add cookie control to your website

    You should add cookie control to your website. This is the little message that visitors see when they first visit your site, asking them to accept cookies before viewing. To do this, visit and register for your own API key. Follow the instructions on screen to implement Civic Cookie Control into your website, or ask your web designer. Alternatively ask me to add Cookie Control to your website.

  7. Get your website GDPR ready & make changes

    You may need to change how your website obtains or processes information / consent. The GDPR requires a change to the ways we process information or request consent, so your websites forms, features or control panels that require personal information may have to change.

    Does your website have a "sign up to newsletter" form and button? Does it explain what the user is signing up form on that page?
    Does your site have an enquiry form, with a "newsletter sign up" tick box already ticked to encourage sign ups? Well you can't do that anymore under GDPR.

    Check your site and speak to your web designer about what you need to change, or contact me and I'll help you with it.

  8. Step 7: Update your website privacy policy notice

    Your website privacy notice will need updating as required by the GDPR. You will need to explain to users a variety of things relating to personal data processing. For example, a main point is explaining to users which lawful basis you will use to process their personal data. Other things like the users rights need to be in your privacy notice, you can read the ICO's privacy notice guidance here.

    When your ready, either update your policy notice on your website, ask your web designer to do it or ask me to update your privacy policy for you. If you don't have a privacy notice yet, you can adapt my free GDPR template here.

This is not an extensive guide

This guide and small business GDPR help sheet is not an extensive guide. It is mainly focused at small business and micro businesses and explains what they need to do.

If you require professional help with your GDPR compliance I suggest you seek professional legal advice with GDPR and data protection specialists.

Need help with your website & GDPR Get in touch Or Call me for a chat on 07833 701150