Data protection: How to make sure your small business is following the law

Not sure where to start when it comes to data protection compliance? Are you a start-up, micro-business or SME looking to understand data protection laws and what you must do to obey them?

Perhaps you've taken on the role of data protection officer in your firm, or you're responsible for making sure your organisation's data protection procedures are fit for purpose?

Here, specialist data protection and legal affairs consultants Handley Gill set out their checklist for the steps small businesses should take to comply with UK data protection laws.

How to follow UK data protection laws

• Ascertain whether, and how, the UK's data protection legislation – which is the UK GDPR, the Data Protection Act 2018 and the Privacy and Electronic Communications Regulations 2018 (PECR) – applies to your activities.

• Consider whether you need to register with the Information Commissioner on its register of data protection fee-payers.

• Identify:

  • the types of information that you collect/propose to collect from individuals in the course of your activities (including any special categories of personal data or personal data relating to criminal convictions and offences)

  • the individuals about whom you'll collect personal data

  • the sources of personal data

  • how you intend to use the personal data

  • the service providers who will come into contact with the personal data

• Determine whether you're acting as a data controller or a data processor for each of the processing activities.

• Determine the legal ground(s) on which you propose to process the relevant categories of personal data and establish any necessary mechanisms to meet the requirements of those grounds, including in relation to the use of tracking technologies such as cookies.

• Consider whether you need to complete a legitimate interests assessment in relation to processing activities.

• Consider whether you need to complete a data protection impact assessment (DPIA) in relation to processing activities that are likely to result in a high risk to individuals.

• Determine how long you need to retain each category of personal data and put in place a secure method of destroying personal data.

• If obliged to do so, maintain records of processing activities, or consider how you'll otherwise demonstrate that you comply with data protection laws.

• Assess the suitability of service providers to process personal data on your behalf.

• Make sure you have in place written data-processing agreements with service providers or data-sharing agreements (as appropriate).

• Identify whether your processing activities involve transferring personal data outside the UK and, if so, that these have a legal basis and are subject to appropriate safeguards.

• Consider whether you must appoint a data protection officer (DPO) and, if necessary, do so.

• Prepare and make available a privacy notice (or privacy notices) to affected individuals.

• Make sure that if you propose to use personal data for direct marketing purposes, you either have the individuals' explicit consent or have measures in place to rely on the 'soft opt-in'.

• Establish a process for handling data subject requests:

  • data subject access requests (SAR/DSAR)

  • right to rectification

  • right to erasure

  • right to restriction of processing

  • right to data portability

  • right to object

• Establish and deliver a data protection training programme.

• Draft a data handling policy setting out the standards to apply when processing personal data and how processing activities will comply with the data protection principles.

• Implement measures to keep personal data secure.

• Prepare an incident response plan that you can deploy if there is a data breach.

Relevant resources

• Nailing GDPR in five easy steps

• The six key elements of GDPR that business owners need to know

• GDPR and your employees