Skip to main content
BPP University BPP Professional Education | Tel: 0330 060 3444

GDPR and your business – it’s not too late!

Lewis Boyce is a student at BPP law school studying the GDL. Lewis also volunteers with the BPP Pro Bono Centre as a Student Assistant for the BPP Enterprise Pro bono Clinic. With a keen interest in how changes in data protection law affect business, Lewis authored this article under the supervision of Angela Cahill, Supervising Solicitor for the Clinic. The Clinic can provide free commercial legal advice on changes under the data protection law and how your business can comply. Please contact us on 0330 060 3633 or to book an appointment.

What is GDPR?

The General Data Protection Regulations (GDPR) regulates how your business protects your customers, suppliers and your employees’ data. It became legally binding on May 25th 2018.  Whilst the Regulations attracted a lot of attention this Spring, it’s not too late to think about how to change the way you collect and use your customer’s data to become compliant.

Who will it affect?

Prior to May, the way your business processed data was governed by the Data Protection Act 1998 (DPA) which affected almost all businesses and GDPR is expected to do the same. It will impact all businesses that regularly process (use/collect/store) personal data of EU citizens, regardless of size or location.

Key concepts

Data controller vs. data processor: GDPR distinguishes between businesses that determine the purpose and means of processing customer’s personal data (data controllers), and those that process data on behalf of a controller (a data processor). Most customer facing businesses will be data controllers even where they are involved in processing the data too, whereas a third-party data storage company e.g. Google Docs or Analytics, would be a processor.

The Information Commissioner’s Office (ICO): this is the independent public authority that is responsible for GDPR enforcement. Their pages on GDPR are very helpful and are constantly being updated. They also have a page dedicated to small businesses.

Key changes

  • A summary of the changes can be found here.
  • A glossary of key terms is also available here.

Penalties: GDPR will be stricter than the DPA. The ICO, can fine companies up to €20 million or 4% of global annual turnover (whichever is higher). However, the ICO will use fines as a last resort and stresses cooperation over punishment. Of the 17,300 data breaches reported in 2016/17, only 16 organisations were fined. The fines are also proportional to the size of the business, and the ICO will take into account the nature of the breach (e.g. whether it was done by accident and if it was a repeat offence).

Personal Data: The definition of personal data has also been expanded.  It previously covered data like names, addresses, email, date of birth, photos etc.  It now also refers to any information that can directly or indirectly identify a person. This means new data will now be considered personal data under GDPR, such as IP addresses, mobile device IDs, or CCTV images.

Your customer’s rights: GDPR will give data subjects’ greater rights. Obtaining consent will require an active opt-in from the user, also referred to as ‘positive consent’, meaning there can be no pre-ticked boxes (e.g. for marketing emails). It should be easy for the customer to withdraw from having their data collected and processed, separate from general terms and conditions, and all parties to whom consent is given to must be named. Data subjects must also be informed immediately if there is a high-risk breach and can request their data at any time in a commonly used readable format.

Tips to be GDPR compliant

  1. Know your business
  • Is your business a data controller or processor?
  • What is the lawful basis for your data processing? (Direct consent / necessary for performance of a contract / compliance with EU or national laws / etc.) A summary of the lawful basis can be found here.
  • The ICO has a data-assessment toolkit which can guide you through some of the areas you should be thinking about.
  • Some businesses will need to register themselves with the ICO, which is known as ‘notification’. Take a test here to see if you need to register.
  1. This has an annual fee of £35
  2. Failure to notify can result in a fine of up to £5,000
  1. Know your data
  • What sort of data are you processing? Is it personal data? Is it sensitive personal data? Where is it coming from and where is it going? How much are you processing?
  • It does not matter whether the data is manual, automatic, digital or physical, the GDPR will still apply.
  • Conduct an audit of the personal data you hold. You should ask yourself questions such as: what personal data you hold? Where did it come from? What do you do with it? Do you share any data with third parties? A helpful template to use when conducting an audit can be found here.
  1. Get consent
  • Ensure you have positive consent from your customers.
  • This includes existing customers as well as new ones; so make sure to revisit old mailing lists to check how the customer consented. If you are unsure, either get consent again or remove them from the list.
  • Any new customers should positively consent to marketing emails and they shouldn’t be sent to them by default.
  1. Have a data breach plan
  • A data breach is not just limited to being hacked. For example it can also occur if you alter personal data without permission or accidently send personal data to the wrong person.
  • If it is likely that the breach is a risk to your customers, you must report data breaches to the ICO within 72 hours.
  • The report must include a description of the breach, the name and contact details of your DPO or your company, a description of the consequences and a description of the measures taken.
  • If the breach is a high risk to people’s rights under GDPR, you must notify the individual.
  • Uber recently got themselves into more hot water when it was revealed they had concealed a data breach.
  1. Store your data securely
  • Make sure that your software is up-to-date, and check regularly for potential updates. Carphone warehouse was fined by the ICO for a breach caused by not keeping their WordPress software up to date.
  • Keep strong passwords on all accounts, create passwords for hard drives or memory sticks and set your screen to lock if you are away from your computer or device for a few minutes.

The GDPR can be confusing and the Information Commissioner anticipates that small businesses will have questions about their responsibilities.  For this reason, it has set up the Small Business Helpline on 03031231113 which will answer your questions on data protection.


Finally, it is important to note that you will still need to be GDPR compliant in spite of Brexit. This is not only because Brexit will occur at least 10 months after GDPR compliance is required, but also because GDPR will apply to countries whether they are inside the EU or not – the only requirement needed for GDPR to apply is that the company processes EU citizen’s data.

The UK will be able to make changes to GDPR once it has officially left, but the government has indicated that it will implement an equivalent or very similar legal mechanisms upon leaving as GDPR has been endorsed by both the ICO and the UK government.