A basic guide to GDPR for small businesses

5th February 2018

1. What is the Data Protection Act about?


The main aim of the Act is to promote a high standard of handling personal information to protect the individual’s right to privacy. This Act applies to all companies which hold data about living individuals in paper or electronic format.

The 8 Data Protection principles for good data handling

All data must be…

  1. Fairly and lawfully processed
  2. Processed for specific purposes
  3. Adequate, relevant and not excessive
  4. Accurate and where necessary, kept up to date
  5. Not kept for longer than necessary
  6. Processed in line with the rights of the individual
  7. Kept secure
  8. Not transferred to any countries outside the European Economic Area unless information is adequately protected.

2. What personal information is covered by the Act?

The Act covers information that relates to a living individual. This is information where the individual could be identified. For example: name, address, date of birth etc. The individual has the right to access the information and correct it if the information held is incorrect.

3. What sort of processing is covered by the Act?



The term ‘processing’ is very broad and covers any action which is carried out on a computer. But in summary will include any of following in personal data terms: recording, holding, using, obtaining, disclosing, erasing or destroying.

4. What to do if you process information about individuals?


The Data Protection Authority requires the Information Commissioner to keep a register of:

  • Data controllers who are responsible for processing information
  • Which purpose they will use the personal data for

If you have this information about employees, customers, suppliers, clients or other members of the public. You may need to record this in the register. This is then called a ‘notification’. However not everyone needs to notify, if you process personal information for core business purposes like staff administration, accounting and own marketing.

To check if you need to notify. Please visit the ICO website by using their self-assessment guide.

5. Can individuals ask for their information?


Under the Act individuals have the right to get a copy of all information you hold about them on a computer or some manual filing systems. This is better known as a right of subject access.

If you do receive a subject access request. You must respond to it within 40 days. You are also entitled to ask for more information so you can confirm the person’s identity. You can also charge a fee of up to £10 for responding to the subject access request.

6. Why you should comply?


Because the new Act is a legal requirement, and it also makes good business sense for the following reasons.

  • Sending mailings to out of date records will annoy customers and waste both time and money
  • Good information handling will increase customer and employee confidence in the business
  • Keeping all information on your data subjects safe and secure will protect you against any claims or damages.

If you fail to notify or renew a notification, when you are not exempt from notifying is a criminal offence and punishable by fines up to £5,000. The Information Commissioners can also take enforcement action to make you bring your processing into line with the eight principles. But failure to further comply is punishable by a further £5,000 fine.

In cases where there is a breach of the DPA which is likely to cause substantial damages or distress and the data controller has failed to take steps to prevent this. The Information Commissioner has the power to impose a monetary penalty of up to £500,000.

7. What you must do


You need to make sure that you and all your staff follow the eight data protection principles. These principles are central to DPA and everyone that handles personal information.

You also need to find out whether you need to notify the commissioner of certain details of your processing.

If you would like more information on this or any aspect of Data Protection. Please feel free to get in contact and find out how we can assist with any changes needed within your business, we will be able to provide you with any documents, assistance and resources you need well ahead of the changes.

So why not contact Sally Phillips 07887 877521 or email sally.phillips@wardwilliams.co.uk and find out how Ward Williams can bring your business into line with the new data protection regulations.

Sally Phillips, Managing Director, Ward Williams

Related Posts