UK GDPR for small businesses - a checklist for compliance

What is the UK GDPR?

The UK GDPR is one of the main pieces of data protection laws in the UK. It was implemented into UK law by the Data Protection Act 2018. The UK GDPR sets out seven key principles:

1. Lawfulness, fairness and transparency

2. Purpose limitation

3. Data minimisation

4. Accuracy

5. Storage limitation

6. Integrity and confidentiality (security)

7. Accountability

These principles should be at the centre of all business's approaches to handling and processing personal data. The list below are ways in which businesses can comply with the principles, to help with navigation of the GDPR for small businesses.

How can my business comply with the UK GDPR? Checklist of compliance with the GDPR for small businesses

1. Data audit

The first step in achieving compliance with the UK GDPR for small businesses is to carry out a data audit. To understand the proper policies and procedures to put in place to handle personal data, your business will first need to understand the extent of the personal data that it processes, from internal data (e.g. about employees) to external data (e.g. about customers and suppliers). A data audit (or data map) will identify the data that you process and how it flows into, through and out of your business.

2. Records

Businesses must document the personal data they hold, where it came from, who they share it with and what they do with it. This document is sometimes called an “Article 30 Record”. The record should include:

• the name and details of the business and its data protection officer (if applicable);

• the categories of the processing carried out;

• details of transfers to countries outside of the UK and EEA including documentation of the transfer mechanism safeguards in place, if applicable; and

• where possible, a general description of technical and organisational security measures.

If a business has fewer than 250 employees it is only required to keep this record for processing activities that: (i) are not occasional; (ii) could result in a risk to the rights and freedoms of individuals; or (iii) involve the processing of special categories of data (e.g. health data) or criminal conviction and offence data.

3. Lawful basis

In order to lawfully process personal data, the UK GDPR requires that a lawful basis for processing is identified. There are six lawful bases:

1. Consent: the individual has given clear consent for you to process their personal data for a specific purpose. The UK GDPR sets a high standard for consent - it must be explicit, specific and granular and the individual must be able to easily withdraw their consent.

2. Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.

3. Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).

4. Vital interests: the processing is necessary to protect someone’s life.

5. Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.

6. Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data that overrides those legitimate interests. You should carry out a legitimate interests assessment (LIA) to assess whether this lawful basis can be relied upon.

If you are processing special category data or criminal offence data you need to identify both a lawful basis for general processing and an additional condition (known as an Article 9 condition) for processing this type of data.

4. Policies and notices

Individuals need to know that you are collecting their data, why you are processing it and who you are sharing it with. This information is given to individuals via a privacy notice. Find out more about privacy notices here.

You should also have internal policies in place to ensure that employees know how to handle personal data in a manner that will comply with the UK GDPR. For example, knowing how to respond to and report a data breach, knowing how to respond to data subject requests and knowing how long personal data can be lawfully kept for. Find out more about the different policies that your business should have in place here.

5. ICO registration

Under the Data Protection (Charges and Information) Regulations 2018, individuals and organisations that process personal data need to pay a data protection fee to the Information Commissioner's Office (ICO), unless they are exempt. Businesses can register online.

6. Processor contracts

Whenever you use a processor you need to have a written contract in place. A processor is anyone who handles or processes personal data on your behalf e.g. a software provider that has access to your customer’s personal data. You must only appoint processors who can provide ‘sufficient guarantees’ that the requirements of the GDPR will be met and the rights of data subjects protected.

Find out more about processor contracts here.

7. International transfers

The UK GDPR imposes restrictions on the transfer of personal data outside the UK and EEA. These restrictions are in place to ensure that the level of protection of individuals afforded by the UK GDPR is not undermined.

This means that where personal data is transferred to, or accessed from, a country outside the UK and EEA that does not have an adequacy decision, additional safeguards must be in place to ensure that the transfer is in compliance with data protection laws e.g. using standard contractual clauses.

8. Data protection by design

Under the UK GDPR, you have a general obligation to implement appropriate technical and organisational measures to show that you have considered and integrated data protection into your processing activities. This is referred to as data protection by design and by default.

9. Data protection officer (DPO)

You may need to appoint a DPO. Any business can appoint a DPO but the UK GDPR requires the mandatory appointment of a DPO if you:

• are a public authority (except for courts acting in the judicial capacity);

• carry out large scale regular and systematic monitoring of individuals (eg online behaviour tracking); or

• carry out large scale processing of special categories of data or data relating to criminal convictions and offences.

10. Data protection impact assessments (DPIAs)

You must carry out a DPIA before beginning any type of processing which is “likely to result in a high risk”. In particular, the UK GDPR says you must do a DPIA if you plan to:

• use systematic and extensive profiling with significant effects;

• process special category or criminal offence data on a large scale; or

• systematically monitor publicly accessible places on a large scale.

The ICO also requires you to do a DPIA if you plan to:

• use new technologies;

• use profiling or special category data to decide on access to services;

• profile individuals on a large scale;

• process biometric data;

• process genetic data;

• match data or combine datasets from different sources;

• collect personal data from a source other than the individual without providing them with a privacy notice (‘invisible processing’);

• track individuals’ location or behaviour;

• profile children or target marketing or online services at them; or

• process data that might endanger the individual’s physical health or safety in the event of a security breach.

11. Training

It is not enough to just have paper-based policies in place. Those policies need to be implemented into your business’s day-to-day activities via staff training. You should brief all staff handling personal data on their data protection responsibilities. It is good practice to provide awareness training on or shortly after an appointment / employment starting, with updates at regular intervals or when required.

How can Docue help?

Docue has a range of data protection templates to make compliance with the GDPR for small businesses easy. The templates have been developed by privacy lawyers and are kept up to date to ensure that they comply with ever-changing privacy laws. All you need to do is answer a series of simple questions, and Docue’s technology will provide you with a fully customised document in no time at all. And don’t worry if you get stuck along the way, because Docue’s lawyers have provided guidance notes throughout to steer you through the document creation process.

Sign up now to use Docue's data protection policy and other data protection templates to help achieve compliance with the UK GDPR for small businesses.