Small Business GDPR FAQ

Small Business GDPR FAQ

Small Business GDPR FAQ

In case you haven’t heard me yap on enough about it for the last 6 months,  General Data Protection Regulations (GDPR) is coming!!! The deadline for compliance is just 1 month away and if you’ve not already started preparing, start now!
If you’ve not complied by 25th May 2018 then you face a hefty fine! Over in the business support group there’s been lots of discussion happening as people start to make their plans to become compliant and there have been some FAQ’s along the way, mainly surrounding what GDPR means for small and micro businesses so I figured as we head towards crunch time it’s time for a blog post about Small Business GDPR FAQ.

Despite GDPR seeming overwhelming to prepare for and implement, it’s in the best interests of you as a business and for your customers. You’re more mindful of the data you’re holding, making sure to get consent – and your customers data has more protection. It is a win-win in the long run, although it might not seem like it at the moment.

This Small Business GDPR FAQ contains some of the FAQ’s asked by my clients and those in the business support group, but if you have any questions or I’ve not covered something you need to know – get in touch!


When does it come into force?

The new regulations come into force on the 25th of May 2018.

Who does it affect?

It affects anyone who processes EU residents data – so if you manage, handle or store data in any way (such as customer orders, mailing lists etc.), then it affects you.
The list of exemptions can be found here

What does the new legislation do and what does it mean?

There are many aspects to the new legislation and the principles are many and vary – it is also a living document so is will change and update regularly.
To be kept up to date with the latest you can visit the ICO.

The simplest way of explaining GDPR is that in theory it replaces the Data Protection Act and is all about protecting personal data and reporting breaches.

What’s the difference between a data processor or controller?

  • A controller determines the purposes and means of processing personal data.
  • A processor is responsible for processing personal data on behalf of a controller.

Depending on the nature of your business, you might well be both. For the purposes of this Small Business GDPR FAQ we will be focusing on both.

What is personal data?

Personal data is any information relating to an identifiable person who can be directly or indirectly identified by a piece of information.

This could include name, email address, postal address, date of birth and much more.

What’s the difference between the Data Protection Act (DPA) and GDPR?

There are several differences between the DPA and GDPR, including: the difference in enforceable countries, different governing bodies, penalties, the legalities surrounding data protection officers, and accountability.

The main 3 differences between the 2 are as follows:

Under the DPA businesses are under no legal obligation to report data breaches (although it was encouraged), under GDPR they’re legally obligated to report a breach within 72 hours.
With the DPA businesses had no legal obligation to remove any data they hold about an individual, whereas under GDPR data subjects have the right to be forgotten.
Under the DPA consent wasn’t a big issue and wasn’t necessarily required, however consent is the main focus of GDPR.

What is a breach and what happens if there is a breach?

Put simply, a breach is an incident where the protocol for personal data has not been followed, and if there is a breach you must report it to the ICO within 72 hours.
Because the change surrounding breaches is so vast, the best place for information about breaches is the ICO

How does this apply to my business?

This will change the way you  handle data. For example you will need to ensure you have regular backups of data from websites such as Etsy or Shopify to ensure you can notify customers in the event of a breach. You may need to encrypt and password protect your devices, invest in a lockable storage system for physical files and much more.

The best way you will understand how GDPR applies to your business is when you do your information audit (explained below), as you will see in front of you what data you hold and how you can make it GDPR compliant (and more secure!)

What does it mean in practice?

In practise it means privacy should be at the forefront of your mind and business at all times with every application or process, instead of being afterthought.

What do I need to do to be compliant?

Please see this GDPR Projection Plan which contains a checklist of everything you need to do to be compliant.

Where do mailing lists come into this?

Please see this GDPR and Mailchimp document which covers where Mailchimp fits into the new legislation.

What is the ICO?

The ICO is the UK’s independent body set up to uphold information rights

Will Brexit impact GDPR?

Despite Brexit coming within the next few years, GDPR will still apply and everyone still needs to comply.

How we can help

Virtual Bird are on hand to guide you through the GDPR process. Helping to make you compliant, providing you with the documents necessary to meet the compliance requirements including information audits, privacy policies and much more, as well making sure your website, Mailchimp and other services are compliant.
We have a variety of special offers running for GDPR at the moment. Please contact us to find out more.

It’s a good thing in disguise

Although GDPR seems like a massive stress, it’s actually a good thing in disguise. Customers love to know their data is protected, and by complying you will enstill trust in them – think of it as a selling point!
It’s also better for you as you’re not holding onto data you don’t need to!


I hope this Small Business GDPR FAQ has helped make GDPR less intimidating and helped to make you feel more prepared for the compliance deadline!
If you’re still confused or need more guidance, get in touch 🙂

Ana x



Leave a Reply

Your email address will not be published. Required fields are marked *