Plain-English guide to GDPR for small businesses

by Matt Stanley-Webb


As you probably know, the EU's GDPR (General Data Protection Regulation) comes into effect on 25 May 2018, replacing the ageing 1998 Data Protection Act. The GDPR is the most significant tightening of data-handling and privacy laws since the internet matured into the commercial medium it is today.

The primary purpose of the GDPR is to give control back to EU citizens and residents over the use of their data, and consequently, I am for it - but I also recognise the difficulty it presents for small businesses. This guide aims to help business owners understand what they need to do, hopefully using language that doesn't make you feel like you're wading through terms & conditions.


Who is this guide for?

This guide is for anyone who owns, or is responsible for, a UK-based small business, typically employing between 1 and 50 people, and who have a business website that advertises or provides services to EU citizens.

It is also for anyone who is frustrated by the vagueness of the many official 10,000-word GDPR guides that are full of legalese and never quite tell you what you need to do.

Please be aware that this guide is mostly my advice on making your website comply with the GDPR. This guide will not necessarily make your entire company compliant, but the principles I cover naturally extend into your other business activities, and I believe you'll finish this guide with a much better feeling for the principles and scope of the GDPR.

Disclaimer: this guide represents the views of the author solely, and are not intended to constitute legal advice.

How can I use this guide?

My suggestion on how to get the most out of this guide is to start by reading this page in its entirety - this will give you a good understanding of what the GDPR is for, why it matters, and what it is trying to achieve. This overall understanding will help guide you in all GDPR-related decisions you and your company will face.

Once you have that under your belt you should read the section on website forms and the section on Privacy Policies as these are the most immediate areas in need of amendment. Both of these sections will require amendments to your website.

Once this is complete I suggest reading the remainder of the guide to get an understanding of the new Rights your customers have, and how to implement them (start here). If you are not the business owner or a director, it is important that you communicate these Rights to management so that all of your staff have an awareness of these issues and act appropriately if a customer exercises any of their Rights.

Finally, you should read the sections on third parties, the use of marketing lists and data breaches to get a full understanding of the scope of the GDPR and follow the advice offered.

GDPR General Principles

At its heart, the GDPR is simple, well-meaning, and arguably necessary. Yes, really.

The GDPR asks us to respect our customers' data, their wishes, and to give customers enough information to make informed decisions about how we can use their data.

It insists we shift our perspective so that we understand that any "personally identifiable information" we collect, store or share remains under the control of our customers. Think of your customers' data as remaining theirs at all times, not as just a business asset.

From the 25th May your customers will have the following rights:

  • to know what data you collect about them;
  • to know how you use their data;
  • to see a copy of their data on demand;
  • to have their data deleted on demand;
  • to have their data corrected on demand;
  • to know whom you share their data with - and why.

Your website is affected by this, and it is your responsibility to ensure you comply with this change in the law. The threatened fines are ridiculously large to force large corporations (often the worse offenders) to pay attention, and only time will tell if the fines, or some reduced form of the fines, will be applied to small and micro businesses.

What is "Personally Identifiable Information"?

Personally identifiable information is any information that can be used on its own or with other information to identify, contact or locate a single person, or to identify an individual in context. Typically this is your customer's name, address, email address and telephone number - but can extend to further information such as what the customer orders from you. Generally, I call this "customer data" or "personal data" in this guide.

Consent is King

The GDPR emphasises the idea of customer consent. Consent means that you tell your customers very clearly how you intend to use their data and give them the choice on whether to agree to that usage.

Consent should not just pay lip-service to the law. Consent means offering individuals real choice and control. Genuine consent should put customers in charge, build trust and engagement, and enhance your reputation.

You will also need to be able to prove customer consent and show what information you gave to your customer at the point that they gave consent. We discuss specifically how this applies to websites and, in particular, online forms, later in this guide.

Not Just Customers

To make this guide more readable, I refer to personally identifiable information as "customer data" or "personal data" and refer to the people which the GDPR applies to as "customers" as this is usually the most applicable group. However, all of the GDPR regulations apply to any group of individuals your business stores or processes information for, including suppliers and, importantly, employees.

Can't I just ignore all this?

That would be nice, wouldn't it? But in my opinion, no. The GDPR is not just another "cookie law" - which was misjudged (IMHO) and had nothing behind it to enforce people to comply - the GDPR is a set of laws that clearly defines a set of principles that tells businesses how they must treat their customers' information to legally do business with EU citizens.

Now that the internet makes collecting data routine and the computerisation of almost all systems makes the sharing of that data trivial, the GDPR is playing catch-up to give us all the control we both need and deserve.

Who does the GDPR apply to?

The GDPR applies to any business that collects, stores or processes customer data that operates within the EU. It also applies to organisations outside the EU that offer goods or services to individuals in the EU.

Does the GDPR apply to business-to-business (B2B) companies?

Yes. The GDPR does not attempt to define rules for B2B or business-to-consumer (B2C) services - the GDPR laws apply to any "personally identifiable information". Arguably, if you could be certain your customers would never use their names and only use generic email addresses like "" the GDPR would not apply to your data. In practice, however, the vast majority of information stored, even for a B2B business, points to a specific individual, so the GDPR applies - in full.

Does the GDPR apply to small business?

Being a small business doesn't mean that the GDPR does not apply to you. The GDPR recognises that small businesses have fewer resources and pose less of a risk to data protection so you won't usually need to employ a Data Protection Officer or record all "processing activities".

However, for the vast majority of businesses, you'll be required to ensure you're compliant with the principles of the GDPR - your business must comply if it's involved in regular processing (which includes collecting, storing or using) of any personal data.

In my opinion, it is easier to follow the GDPR and get compliant, than to spend time figuring out how you can avoid complying, especially if you're working without legal guidance.

It's also important to note that even if your company falls under one of the few exemptions, if you're contracting with a larger company that conducts large-scale processing you may still be subject to the harsher end of the GDPR regulation.

What about Brexit?

We know that the GDPR contains multiple awkward challenges and that some UK businesses are hoping Brexit will nullify these rules. However, the UK Government has made it clear, while plans for Brexit continue to progress, that GDPR will become part of UK law from 25 May 2018, and equivalent data protection requirements will remain in force once the UK has exited the European Union.