How small businesses can prepare for new data regulations and GDPR


People will get more rights to force social media organisations to delete any personal data under a new law brought forward by government in the summer.

Minister for Digital, Matt Hancock say the new legislation amounts to the “right to be forgotten” by companies. This legislation has developed from calls during the election campaign that people should have the right to request that information that was posted from their childhood be deleted – good news for all the former emo teenagers who are still haunted by their old Myspace accounts whenever someone Googles them.

The main aim of this legislation is to make sure UK data laws are compliant with the new EU’s GDPR legislation which comes into effect on 25th May 2018.

The Information Commissioner’s Office has the power to impose a penalty of up to £500,000 for breaches of the DPA and once GDPR comes in, charges could be up to 4% of a company’s turnover, so how can small businesses prepare for new legislation and GDPR?

Under GDPR, personal data can only be processed for fair and lawful purposes. Personal data is any information relating to an identifiable person, for example, names, health information and location data including IP addresses. Your business should undertake a review of what personal data you’re processing. This can then lead to you deciding whether some or all of that data is irrelevant and can take measures to stop collecting such data. You must use clear and simple language when obtaining personal data, this ensures that the individual is giving valid and informed consent.

A clear and consistently applied data protection policy is key. You must be able to show that you have taken measures to safeguard personal data. Ensure all those that collect and process data understand and comply with the policy. Make sure any computers and software and records you have with personal data is encrypted and that any paper copies are secure and only accessible to those that process the data.

When recruiting, only collect information that is required for example – if driving is not a requirement of that role then you do not need to collect data on motoring offences. Data from unsuccessful applicants should be kept for no longer than six months. When writing job adverts state the purposes for personal data. When checking references only ask questions that are relevant to the role.

Invest in software that can help you find your data and this can help monitor compliance and the processes involved in dealing with data.