Data protection & GDPR: How to improve compliance in your small business

People are more concerned about safeguarding their personal data than ever before, and who wouldn’t be when more frequently you hear about companies suffering data breaches? The latest story, breaking just a few days ago, is already being dubbed the “Mother of All Data Breaches” with billions of data records leaked. There’s also a lot of chatter on LinkedIn about the platform’s push to get users to verify their identity by sharing passport details.

I’m sure that you’re more careful than you’ve ever been with YOUR data, but how far have you gone in considering how secure the personal data is that you hold about your clients?

Data protection is a massive area that I could write dozens of blogs about. It’s a complex – and some would say boring – subject, but one that business owners can’t afford to ignore.

It’s also a subject mired in fear, myths, and uncertainty with some unscrupulous consultants tying their clients up in knots of red tape they don’t fully understand and charging thousands for the privilege.

In my first blog on the topic, I’m aiming to explain some of the basics of GDPR, why small business owners should care about it, and give some initial tips on how to get started improving your data compliance arrangements.

Let’s get started!

What is the GDPR?

The General Data Protection Regulation is an EU law which came into effect in 2018, its main aims being to give individuals greater control over their personal data and to harmonise data protection laws across Europe.

Who does GDPR apply to?

The GDPR applies not only to businesses within the EU but to ANY organisation outside the EU that processes the personal data of EU residents. It applies to the largest global corporations right down to the smallest businesses and individual freelancers.

Although the UK is no longer part of the EU, the GDPR is enshrined in UK law under the Data Protection Act 2018, which means that until such time as the UK government changes the law, it remains in force here and therefore continues to protect the rights of all individuals in the UK, too.

Some basic definitions under GDPR

Personal data: Any information relating to a person who can be identified directly or indirectly by using an identifier like a name, address, ID number, location data, an online identifier or one more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.

Data subject: An identifiable living individual to whom personal data relates.

Data processing: Any operation or set of operations which is performed on personal data or on sets of personal data (whether or not by automated means), such as collection, recording, organizing, structuring, sorting, altering, retrieving, consulting, using, disclosing, disseminating, restricting, erasing, or destructing.

So, I am a data subject and I have given some of my personal data to my GP. They know my name, address, phone number, email address, NHS number, and entire medical history. Staff at the GP practice process my data in various ways. For example, they use my phone number to text reminders about appointments, record new test results against my name, and organise my medical records in their electronic filing system.

Individuals have rights under GDPR, and organisations (including your business) must follow certain key principles when it comes to processing personal data. 👇

The rights of individuals under GDPR

1) You have the right to know whether an organisation is processing your data and if so, you have the right to access that data.

2) You have the right to request correction or completion if the personal data is inaccurate or incomplete.

3) You can request the deletion of your personal data under specific circumstances, such as when the data is no longer necessary for the original purpose it was collected.

4) Under certain circumstances, you can request a restriction on the processing of personal data which means that data can still be stored but not processed any further.

5) You have the right to receive your personal data in a structured, commonly used, and machine-readable format so that you can transmit it elsewhere.

6) You can object to the processing of your personal data in certain situations, such as for direct marketing.

7) You also have rights that protect you when it comes to automated decision-making and profiling.

The cookie consent banner on my website

What organisations must do under GDPR

1) Organisations must process data lawfully, ensuring fairness and transparency in their practices. They must tell people about how their data is used, collected, and shared.

2) Data should be collected for specific, explicit, legitimate purposes, and any additional processing must be compatible with the original purpose.

Let’s look at an example:

I sign up to your mailing list on the understanding that I will receive marketing emails from you. You have a specific, explicit, and legitimate reason for emailing me i.e., I’ve asked you to.

You would not be able to share my email address with a company down the road so they can do the same. You did not inform me that is what you intended to do with my data, and you don’t have carte blanche to do what you like once you have it.

3) You should only collect data that is necessary for the intended purpose. In other words, you should collect the minimum amount of data that you need.

Another example:

You provide a sign-up form on your website so I can join your mailing list. You will obviously need my email address so you can send me emails, and you’ll likely want to know my name so you can personalise them. You do not need to know my nationality, marital status, or date of birth to be able to email me, so you should not collect these details.

4) You should ensure that the personal data you collect and process is correct and kept up to date.

5) You should not keep personal data for longer than necessary which means you should set retention periods for different types of data.

6) You must process personal data securely, ensuring protection against unauthorized and unlawful processing, and against accidental loss, damage, or destruction.

7) You must demonstrate compliance with GDPR which includes maintaining detailed records of data processing activities and implementing measures to ensure privacy by design and default.

So why should you care about GDPR?

1) The law requires it!

Compliance with GDPR is mandatory for businesses that process personal data, regardless of their size. Sticking your head in the sand and ignoring it puts you at risk of substantial fines which may cripple you financially.

The Information Commissioner’s Office (ICO) is the UK’s supervisory authority when it comes to data protection matters. It employs over 500 staff with offices in each of the four nations and investigates complaints made against businesses concerning data breaches and non-compliance with GDPR. The public is also more aware of their data privacy rights than ever before, so you ignore GDPR at your peril.

2) It builds trust and reputation.

If you pride yourself on doing business with integrity, ensuring you’re fully compliant with GDPR will help you attract high-quality clients who value the responsible handling of their personal information. Similarly, if you suffer a data breach or are found not to be complying with GDPR, your reputation will suffer. Negative publicity is damaging to any type of business.

3) It enables you to compete in a global market.

More than 157 countries now have some sort of data privacy laws. GDPR is seen as the gold standard and its requirements are the toughest to meet. Suppose you do the work to be properly compliant with GDPR. In that case, you’ll also be in a good position when it comes to compliance with other data protection laws around the world. That sets you up for smooth business operations on a global scale if you’re keen to expand and take on overseas clients.

4) It advances partnerships and collaboration.

Many larger organisations require their smaller suppliers to comply with GDPR as part of contractual agreements. Can you be sure that you’ll get through their due diligence checks? What about inspections? Will you pass those if someone comes to look at your records? Non-compliance with GDPR can mean you lose out on lucrative deals.

5) It gives you bragging rights!

Emphasising ethical data practices in your marketing materials will help attract clients who prioritise responsible business conduct.

GDPR compliance is a further justification for charging premium rates. If you provide a high-end service, every single element of your business should be top-notch.

So, now I’ve given you plenty of reasons to ensure your business is fully compliant. 👇

How my website’s Privacy Policy looks

How can you improve your data protection arrangements?

Here’s a handful of tips to get you started:

1) If you’re not already registered with the ICO, do so.

Some businesses are exempt from the annual registration fee. You can check whether you need to pay or not by using the self-assessment tool on the ICO website. 

There’s a fee calculator on the ICO website, too.

Most small businesses pay between £40-60 per year, and you get a £5 discount for paying by direct debit.

2) Use business/professional versions of software and operating systems.

Free software – I’m particularly thinking about Gmail and Outlook, etc. – doesn’t give the same protections as paid business and professional versions. You shouldn’t be using free software to run your business anyway, as you’re in breach of licensing laws.

3) Check all software platforms you use and find out where they transfer your business data.

In this global age, software companies transfer their user data around the world to optimise performance and responsiveness, as well as comply with local regulations. You shouldn’t use providers that transfer your business data without adequate contractual arrangements in place. You’ll find this detail in their individual privacy policies.

4) Ensure that your contracts have adequate clauses relating to data protection.

If you’re asking clients to sign a contract that states something along the lines of “each party agrees to act in accordance with the provisions of GDPR”, that is insufficient.

5) Ensure that your website has a thorough Privacy Policy or Privacy Notice that is tailored to the specifics of your business.

Your Privacy Policy must be as user-friendly and understandable as possible. There are numerous things it should contain, including an explanation of:

  • the legal bases you rely on to process personal data
  • how and why you use personal data
  • how you protect personal data
  • who you share personal data with
  • international data transfers


Achieving GDPR compliance is essential for small businesses looking to build trust with their customers and mitigate the risks associated with data breaches. If you follow the tips I’ve given above, you’ll be further along your journey to full compliance and protecting the privacy of your clients’ data.

If you run into any problems when working through my tips and want to ensure full compliance in your business, I’ve got three solutions for you:

1) You can work with me in the Power Partnership, and I will sort out everything listed above plus ALL the other things you need to be fully GDPR compliant, plus make sure you understand it all. I’m affiliated with KoffeeKlatch Ltd, legal and data protection experts who’ve been supporting small businesses since the 1980s, and work through their extensive but commonsense process to ensure that your business is fully compliant.

2) If you’re unable to invest in the Power Partnership you can purchase the KoffeeKlatch process in the form of a DIY course for £150+VAT and sort it yourself. 

If you go for this option, please use my affiliate link as a thank you for telling you about it. I’ll earn a small commission which will buy me a coffee. Here’s my link: It will take you to the course purchase page which gives you all the details you need.

3) I pride myself on being fully transparent in conducting my business. If neither the Power Partnership nor the DIY course is the solution for you, KoffeeKlatch also offers a group programme, where you can sign up to work through the course with KoffeeKlatch guidance over 12 weeks. The investment is £750+VAT. The next round runs in September 2024.

Again, if you go for this option, please use my affiliate link as a thank you for telling you about it. Here’s my link: It will take you to the group programme purchase page which gives you all the details you need.

If you have any questions at all, about any of the above, send me an email to and I’d be happy to chat to you. 😊


Everything you need to know about the Power Partnership

You might have noticed that I’ve been talking about the Power Partnership recently. It’s my programme designed to help stop established businesswomen from drowning in their to-do lists and free up time to make an even bigger impact in the world. Joining the Power Partnership is an investment in your

Read More »

Meet my client: Emma Watkins from Prospero Planning Ltd

Name: Emma Watkins Business Name: Prospero Planning Ltd Years in business: 12 Years since we started working together: 2.5 Emma is the sole director of Prospero Planning Ltd, a planning consultancy based in Cardiff, Wales. Emma and I were introduced by a mutual friend in the summer of 2021, and

Read More »