Best Option

Find the right accountancy solution for your requirements

What exactly is GDPR?

In the digital age, businesses can hold tons and tons of data about their customers. This data could include everything from email addresses and bank details, to shoe size and marital history. But, until now, there has been very little regulation about how organisations collect and use that data. GDPR has changed all that.

Introduced in May 2018, the new set of rules enforced by GDPR aims to protect the privacy of individuals, giving them control over their data. The ruling affects any business across the world that collects or processes personal data about people in the EU. The UK government has also confirmed that after Brexit, it will continue to enforce GDPR.


Does GDPR apply to small businesses?

Yes, it does. The regulation applies to any business or organisation of any kind that collects data on EU citizens. So, even if you run a small business that doesn’t have a massive email database, you still have a responsibility to adhere to the regulation. And remember, the rules apply to employee and client data, as well as customer information.

It’s easy to get overwhelmed with all the details of GDPR, particularly when you have all the other responsibilities that come with running a business. So, it’s useful to remember that, at its most basic, GDPR means being careful and ethical with any data that you collect and process. If it ever feels like you are using someone’s data in a way that infringes on their privacy, then you’re probably stepping outside of the rules.


What about GDPR for freelancers?

Like any other business, freelancers and contractors are responsible for making sure that any data they use is fully managed and protected. This responsibility includes any data that you might use or process on behalf of a client. It’s important to remember that, even if you are under contract, you’re not protected under employee policies concerning data protection.

Now, all of that might sound scary, but there are some simple steps you can take to remain compliant. They include deleting any client data you have once a project or contract is finished, ensuring all of your anti-virus software is up to date, and keeping your devices encrypted and password-protected wherever possible. Common sense measures like this will be enough to stop you getting into hot water.


What does GDPR mean for marketing consent?

One common misconception around GDPR is that you can only collect and process data with the user’s explicit consent. While in many cases this is true, it is not always the case. There are actually six lawful bases for processing data, including legitimate interest and contract.

These terms can get quite complicated (and, at times, vague), but the important thing is to be clear on your legal basis for processing data before you start doing it. Luckily, the Information Commissioner’s Office (ICO) has built a handy tool to help you figure out the correct legal basis for your data processing.


Am I a data controller or a data processor?

Under GDPR there are two types of data users: processors and controllers.

Put simply, processing refers to things such as the recording, collecting, sharing, and storing of data. A data controller would do all the same things as a processor, but they will also be responsible for considering the purpose of the data processing.

Simple, right? No? Okay, here’s an example to help. Say you run a web design company. If you use third party software to capture and store customer data, then you are the controller (you decided to capture that data in the first place) and the third party software provider is the processor (because they collect and store that data). That said, if you manually inputted any customer data into a spreadsheet yourself, then you are the controller AND the processor.

The important thing here is to recognise where you fall in these categories and monitor your activities accordingly. You can find more help on assessing your business here.


Do I need to register with the ICO under GDPR?

According to the ICO, GDPR “requires every organisation or sole trader who processes personal information to pay a data protection fee to the ICO, unless they are exempt”. Which, in short, means that the large majority of UK businesses have to pay the fee.

As the stipulation suggests, there is a chance you could be exempt from paying the fee. The easiest way to find out if this is the case is to do the ICO registration self-assessment. It sounds big and scary, but it only takes a few minutes to complete, and the questions are straightforward.


How do I make sure my business is GDPR-compliant?

There’s no doubt about it – GDPR can be hard to get your head around. But one way to answer many of the questions you might have is to address the original seven principles. We’ve listed them here, with added explanations:

Lawfulness, fairness and transparency – Exactly what it says on the tin. Only use and process data when it’s lawful, fair to the user, and in a way where nothing is hidden.

Purpose limitationIf you’re a shoe retailer, it’s okay to record a customer’s shoe size. It’s not okay to record their eye colour.

Data minimisation – Using the above example, you only need to record the shoe size of your customer, not the colour of every pair of shoes they own.

Accuracy – Keep your data accurate and up-to-date. A tidy database is a compliant database.

Storage limitation – Data should be held in one secure place, and not replicated on various hard drives across your business.

Integrity and confidentiality – Make sure that you are taking all relevant steps to keep all data secure at all times.

Accountability – You should be documenting and recording the actions you are taking to remain compliant.


Where can I find out more?

If you have other questions about the implications of GDPR for you and your business, we highly recommend bookmarking the ICO’s Guide to GDPR and referring to it regularly.


You may find the following guides helpful:

Need help finding the right accountancy solution for your requirements?

Answer the questions below for our recommendation.

Do you: (select the first that applies)
Please select an option