A 5 Minute Guide To GDPR.

Craig Greenup 15/03/24, 08:00

A 5 Minute Guide To GDPR

GDPR can seem big and scary to small business owners. There’s a lot of complicated legal lingo to get your head around.

That’s why we’ve created this simple guide to GDPR. In it, we cover the 7 data protection principles and the legal bases you can use to justify data collection. We also explore some of the things you need to run a GDPR compliant website.

A simple guide to GDPR

In this guide we’re going to cover:

What is GDPR?

GDPR stands for General Data Protection Regulation. It’s a data privacy law that came into force across the UK and EU in 2018.

After Brexit, the EU version of the GDPR was replaced with (an almost identical) UK version. This is called UK GDPR and it’s the legislation that we work to today.

GDPR aims to protect personal information. By personal information, we mean things like:

  • names
  • addresses
  • email addresses
  • telephone numbers
  • IP addresses
  • credit card details
  • bank details

Business owners have to follow GDPR. In doing so, they keep personal data safe and use it responsibly. They get an individual’s consent before collecting or using their data. And they have an effective and compliant way of storing it.

By sticking to GDPR, businesses (and other organisations) protect their reputation. They also make it less likely that individuals will fall victim to fraud or cybercrime. They protect the company from fraud and cybercrime, too.

What are the 7 data protection principles?

UK GDPR follows seven data protection principles. These are:

  • Businesses need to process the personal data of customers lawfully, fairly and transparently
  • You can only collect data for specified, explicit and legitimate purposes. You can’t use customer data for anything other than what customers have agreed to.
  • You shouldn’t collect any more personal data from customers than you absolutely need to. This is called data minimisation.
  • The personal data that you store should be accurate and up-to-date. You need to delete or update any inaccurate data.
  • The data you collect has to be kept in a form that permits identification of customers for no longer than is necessary.
  • You have to process and store personal data securely. You can use both technical and organisational processes to protect personal data.
  • The data controller (that’s you or someone assigned by you) handles UK GDPR compliance. They have to manage the personal data of customers and prove that they manage it properly.

These data protection principles are the foundation for GDPR.

What is the GDPR lawful basis?

If you collect personal data, you need to have a valid GDPR lawful basis to do so. There are six lawful bases for processing, as outlined by the Information Commissioner’s Office (ICO). These are:

  • Consent: customers consent to you collecting and using their data
  • Contract: you have a contract with a person and need to process their data to fulfil the contract
  • Legal obligation: you need to process personal data to follow the law
  • Vital interests: you need to process personal data to protect someone’s life
  • Public task: you need to process data as an official authority or in a legal public interest
  • Legitimate interests: you process personal data because it’s in your own interests or the interests of a third party; you have to balance your interests or third party interests against the individual’s interests and rights

Legitimate interests is the haziest GDPR lawful basis. You can only use it when you use people’s data in ways they could reasonably expect and in ways that have a minimal impact on their privacy. You can read more about the legitimate interests basis here.

Whichever lawful basis justifies your data collection, you need to explain it in your privacy notice.

Is GDPR for small business any different?

Small business GDPR is no different from the standard rules and regulations. No matter how big or small your company, if you use and store personal information, you need to follow GDPR.

As a small business, you probably process a lot less personal data than a huge corporation. But you still have an obligation to keep that data safe and secure. And to use data in line with customer or client preferences.

What happens if you don’t follow GDPR?

If an individual is negatively affected because you don’t stick to GDPR guidelines, they can take legal action against you. They may be able to claim compensation.

The ICO also has enforcement powers. This means they can issue warnings and penalties if you don’t follow UK GDPR.

For cases where the ICO believes there is reckless or deliberate harm, it can issue fines of up to £17.5 million or 4% of your annual turnover, whichever is higher.

6 tips for a GDPR compliant website

Whether you already have a website or you’re getting one built, GDPR is an important consideration. Here’s what you need to do to make a GDPR compliant website for your small business.

1. Start with a data audit

Start by carrying out an audit of all the personal customer data you currently store to see if it’s compliant. Soft opt-ins don’t count. So you need to delete the data of any customers who didn’t give their explicit consent.

2. Establish data records

Keeping records is an important part of GDPR compliance. You need to keep a record of all the personal data you keep on file. The ICO provides a data record template and explains everything you need to include.

3. Create a privacy notice

You need to add a privacy notice to your site. This should explain how and why data is collected. It should also outline how the data will be used and how long it will be kept.

It should be easy for website users to access your privacy notice. Bonus points if you write it in simple, non-legal language that your users understand. Also, always include a link to your privacy notice when asking users to hand over personal information.

4. Get email marketing consent

You have to get specific and explicit consent to collect and store user email addresses. This means users have to actively opt-in to mailing lists.

Some companies are ensuring they get consent by using a double opt-in method. They’re asking customers to tick a box to opt-in and then also confirm their email address before they’re added to the mailing list.

5. Renew personal data consent

You should only keep personal data for as long as you need to. While the GDPR doesn’t specify time scales, it’s worth regularly checking that your customers want to stay on your database. Even if they’ve given their consent previously.

You should also make it easy for customers to unsubscribe from your emails. Add an unsubscribe link to the bottom of every email and make the unsubscribe process as simple as possible.

6. Get cookie consent

Website cookies are also covered under GDPR changes. If you want to use cookies on your site in order so you can use website analytics, then you must get consent from your users. You need to let users know that the cookies are there, what they are for and why you use them.

Other GDPR obligations for small businesses

Responding to personal data requests

People can ask you to delete or provide a copy of their personal information. This is called a subject access request (SAR) and you’re obliged to respond within a month.

Responding to a data breach

If there’s a serious personal data breach, you need to act quickly. You should contact ICO within 72 hours.

Registering with the ICO

You may need to register with the ICO and pay a data protection fee. You can find out if you need to register by using their self-assessment tool.

Appointing a data protection officer

Some businesses are required to appoint a data protection officer. This person is responsible for making sure data collection within the company is compliant with new GDPR legislation.

Ready to make your website GDPR compliant?

We hope that our simple guide to GDPR has shed some light on what can be a complicated topic.

It’s clear that GDPR is important for any small business. And not just so you swerve a hefty fine or legal action.

Customers are more likely to trust your website and your company when you look after their data. And when you’re honest about how you use it.

We can help make your business website more GDPR compliant. We can add an email marketing opt-in form, a privacy policy or cookie management functions. Our dev and design team can also craft a GDPR compliant website from scratch.

So whatever your website needs, get in touch with the friendly Radical team to chat about your project.