Data protection basics for small businesses

by Aleks Chardakliev, Rocket Lawyer paralegal

UK data protection legislation protects people’s privacy and makes sure that their personal data (e.g. information about contact details, health, beliefs and more) is not misused. In the modern age of e-commerce and information, most businesses that serve customers or employ anybody will be working with personal data. Working with (or ‘processing’) personal data can be as simple as recording customers’ addresses or employees’ birthdays.

UK data protection laws

The Data Protection Act 1998 has been replaced by the Data Protection Act 2018, which incorporates the UK General Data Protection Regulation (GDPR). Together, these instruments form the basis of UK data protection legislation.

The original GDPR is an EU regulation that no longer applies to the UK. However, the provisions of EU GDPR have been incorporated into UK law as the UK GDPR. The regulation applies to any business that processes personal data. If you trade in the EU, you will also need to follow EU GDPR guidance.

This data protection legislation requires that small businesses adhere to key data protection principles. This includes upholding the right of consumers to have access to the personal data you hold on them, and, in certain circumstances, their right to object to the way you use their data. Customers have a right to influence how you use their data. Therefore, the collection and usage of data should be transparent and secure.

As a small business, you’ll generally handle a far smaller volume of data than a large business. Although the volume may be less, you still need to have the necessary procedures in place to be able to protect individuals’ data and to deal with their requests, as per the requirements of UK GDPR.

What steps should a business take to ensure it complies with data protection laws?

Certain legal documents help businesses to communicate data protection information to customers and employees. Making these documents can also help businesses to put data protection procedures in place. Doing this helps businesses meet their data protection obligations. Key compliance documents that you should consider creating for your business include:

A privacy notice

It’s a good idea to make a privacy notice if you employ anybody in your business. A privacy notice tells employees what you will be doing with the personal information they give you in the course of their employment. It covers using data, storing data, and disclosing it to third parties. Creating a privacy notice ensures employees are aware of their data protection rights.

A privacy policy

Privacy policies are for customers. They set out similar information to privacy notices, but they’re tailored to deal with the information you ask customers to disclose when they use your service (eg to buy your products).

A website privacy policy, for instance, deals with the personal data that your website collects from users - from email addresses collected for mailing lists to details used to create personalised items on an e-commerce site. 

Privacy policies reassure customers that you’re using their data in a correct, safe way.

A data protection impact assessment (DPIA)

A DPIA is a document that guides users through the process of assessing data protection risks created by a project. DPIAs are necessary when your business carries out data processing which is likely to pose a high risk to the rights and freedoms of the people to whom the data relates. Types of processing that could necessitate a DPIA include large scale processing or processing highly sensitive data (e.g. data related to health, such as COVID-19 vaccination data).

A data protection and data security policy

This comprehensive internal policy document sets out an employer’s data protection practices relating to employees’ and clients’ data. It covers a wider range of data protection considerations than a privacy notice, and in more depth.

A data processing agreement (DPA)

Your business will need a DPA if you work with another organisation to process their personal data or if another organisation processes personal data that your business controls.

A DPA is the agreement between a data controller (the party who makes decisions about data processing, e.g. your business if it’s your customers’ data in question) and a data processor (the party that carries out data processing according to the data controller’s needs, e.g. your business if you work with another business’ data to perform a service for them). A DPA sets out the processes, responsibilities, and any technical and organisational requirements related to the processing taking place under the agreement.

Making your business GDPR compliant

You can use Rocket Lawyer’s templates to create your:

• Data processing agreement (DPA)
• Data protection and data security policy
• Data protection impact assessment (DPIA)
• Website privacy policy
• Employee privacy notice
• Consultant privacy notice

Creating these data protection documents helps your business to comply with data protection laws. However, you should also ensure that your business actually adheres to the processes described in your documents. For more information on data protection compliance, read Rocket Lawyer’s guidance. You can also use Rocket Lawyer’s GDPR compliance advice service if you need help with data protection compliance.