Breadcrumb

Guide to GDPR for Small Businesses

Written by

The GoCardless content team comprises a group of subject-matter experts in multiple fields from across GoCardless. The authors and reviewers work in the sales, marketing, legal, and finance departments. All have in-depth knowledge and experience in various aspects of payment scheme technology and the operating rules applicable to each. The team holds expertise in the well-established payment schemes such as UK Direct Debit, the European SEPA scheme, and the US ACH scheme, as well as in schemes operating in Scandinavia, Australia, and New Zealand. See full bio

Last editedSep 20213 min read

GDPR for small businesses can be a tricky subject. Small business owners may be under the misapprehension that GDPR doesn’t apply to them due to the size of their business (it does) or that becoming compliant with GDPR is more effort than it’s worth (it’s not).

Learn more with our guide to GDPR for small businesses.

GDPR came into effect on 25 May 2018. This means that it’s already legally binding, and if you aren’t compliant, you may be breaking the law. Serious penalties for GDPR breaches (at maximum, fines amounting to 4% of your company’s annual global turnover) may be applied, regardless of the size of your company, so it’s important to understand your rights and responsibilities around GDPR as quickly as possible.

GDPR, or General Data Protection Regulation, is an EU regulation intended to give citizens more control over their data and simplify data privacy regulations for international businesses operating within the EU. GDPR’s new data protection laws for small businesses apply to all businesses that operate in the EU, placing new obligations around accountability and compliance when it comes to the handling of their customer’s personal data.

Yes, GDPR does apply to your business. Remember, all businesses in the EU are subject to GDPR, regardless of the size of your company, the number of people you employ, or your annual turnover. In addition, companies based outside of the EU that process the personal information of EU citizens may also be subject to GDPR. So, when it comes to GDPR for small businesses, it’s important not to believe that your limited size protects you from the scope of the law.

The key question is the extent to which your business deals with personal data (not just from customers, but suppliers as well). If you routinely process, collect, store, or use personal data (any piece of information that could potentially be used to identify someone, including names, IP addresses, addresses, genetic data, religious views, and so on), then GDPR will apply to your business, and you need to get compliant or risk facing penalties.

Are you a data controller or a data processor?

GDPR applies to both “data controllers” and “data processors.” Essentially, data processors store, collect, record, organise, and share personal data. Data controllers do the same thing, but they also decide what the purpose of these data processing activities is. Data controllers and data processors have slightly different legal obligations, making this an important element of GDPR for small businesses. Data processors have the following obligations:

Retain up-to-date personal data records and details of your data processing activities
Store details of data transfers to countries outside of the EU
Implement appropriate data security measures

Data controllers must do all of the above, while also ensuring that any contracts you have with other processors are GDPR-compliant. This means that you’ll need to check that anyone you’re doing business with has the proper security measures in place before you put pen to paper on the contract.

Need to make sure that your business is compliant with the new data protection laws for small businesses? Rounding out our GDPR guide, we’ve put together a checklist for you to take a look at:

Understand what type of personal data you collect, where it’s held, and how you’re using that data.
Work out whether you’re relying on consent to process personal data. Under GDPR, consent needs to be explicit, clear, and specific, which is why it’s best not to rely on consent unless it’s completely necessary.
Update your security measures so that they’re compliant with GDPR.
Ensure that you’re able to meet access requests within one month. Citizens have the right to access their data and every request has a deadline of one month, so it’s important that you’re able to respond to these requests in a timely fashion when necessary.
Train your employees. They need to understand what constitutes a data breach and what their obligations are in terms of reporting (serious data breaches must be reported within 72 hours).
Check that your supply chain, including suppliers/contractors that you work with, is GDPR-compliant.
Create “Fair processing notices” (descriptions of what you’re doing to your customers’ personal data).
Explore whether you need to employ a Data Protection Officer (DPO). When it comes to GDPR for small businesses, many companies are exempt, but if your company’s core activities include “regular or systematic” data subject monitoring or processing “special category data” then a DPO must be employed.

Hopefully, this GDPR guidance for small businesses has given you some indication of how to proceed with the new data protection laws for small businesses. Ultimately, GDPR for small businesses comes down to being clear and ethical about the personal data that you’re processing.

We can help

GoCardless helps you automate payment collection, cutting down on the amount of admin your team needs to deal with when chasing invoices. Find out how GoCardless can help you with ad hoc payments or recurring payments.