5 Common GDPR mistakes that small business make:

Nearly 2 years on from the introduction of the European Data Protection Regulation (GDPR) and several surveys so that a high percentage of small businesses are still confused by the rules and as a result could be in breach of GDPR – most likely without knowing it!

Being confused by or not knowing the rules is not a valid excuse for being non-compliant and with the increase in the amount businesses can be fined under GDPR (running into the millions for the most serious breaches), is that a risk your business can afford to take?

Below are the 5 most common GDPR mistakes made by small businesses.

1. My business has a privacy policy on our website and we only undertake marketing to those that have subscribed… surely this means my business is GDPR compliant?

GDPR is more than just a privacy policy on a web-site or a subscribe/ unsubscribe option within a business’s marketing material. GDPR also requires business comply to a number of other principles, which include things like; knowing what personal data they hold and what it’s used for; Business must let data subjects know what personal data is being held for them and how it is used; Businesses should only retain personal data for as long as it is needed and that data should be accurate and up to date. Some businesses will need to register and pay a Data Protection Fee.

2. My business is very small/ I’m a Sole Trader so surely GDPR doesn’t apply to me?

The size of your business in relation to annual turnover, number of staff employed or even if you are a sole trader doesn’t matter. If your business processes the personal data of EU citizens then it needs to be compliant with GDPR.

3. Thinking GDPR relates to only electronic data

GDPR applies to all personal data regardless of its mediums which include electronic, paper, video/ CCTV, audio, microfilm, etc. ALSO REMEMEBR GDPR applies to your historic, present and future data.

4. Forgetting about your employees' personal data

Many businesses have focused on changing their processes and systems to ensure that the personal information of their customers is managed in accordance with GDPR. However, the personal data of its employees also need to be managed in accordance with GDPR.

5. Now Brexit has happened I don’t need to worry about it.

Now Brexit has happened Britain has entered into a transition period with the EU and the ICO has stated that the existing rules on GDPR will continue to apply in the UK during this time. Even after this transition period, any company that continues to process the personal data of any EU citizen will need to comply with GDPR. Also, given the UK government has chosen to transpose the GDPR rules directly in UK law under the Data Protection Act 2018, it is unlikely Brexit will have any effect on the law and businesses still need to manage personal data in accordance with it.