Understanding GDPR - the risks and the benefits for your business

If you are in business, it is essential for the future of your organisation that you understand GDPR.

What is GDPR?

The General Data Protection Regulation is a legal framework that protects people’s privacy. If you use personal information for business, you must adhere to it.

GDPR covers anything and everything to do with personal data, for both business and retail customers:

  • Names
  • Emails
  • Telephone number, etc.

If you are in business, you will have personal data.

We all collect data from lots of different sources:

  • Current customers
  • Past customers
  • Suppliers
  • Sales prospects, etc.

What is personal data?

What is Personal Information?

Apart from the obvious name and address, it is anything else an organisation has either directly about a living individual (date of birth, education, email) or which is related to, identified, or found by reference to their name (so order history, diary screens, appointments, claims, pet, online ID and so on).


What formats for holding data are covered?

It can be in any format; paper, electronic, picture, video, audio recording, from documents, telephone calls, live chats, apps, websites and so on.


Identifying a person directly or indirectly

If the person can be directly identified using that information, or indirectly identified, then the information is personal information. An example of indirect would be, “an English prince, red hair, who married an American actress.” No name has been stated, but two people can be identified.


Private or business capacity

It does not matter if the person is dealing with you in a private or business capacity. All that matters is that you are dealing with a living human being in the UK/EU and have information that is of, about or relates to or is organised in relation to them and they can be directly or indirectly identified.

Does my business have to be compliant?


GDPR applies to every business, organisation and club in the UK, whatever the size. There are very few exceptions.

Many business owners think, that to be compliant you just need to have a privacy policy. This is wrong. You must look at your:

  • Collection of data
  • Data security
  • Data control
  • Your people’s knowledge
  • Storage of data - why/how long
  • Your suppliers’ compliance

Failure to be compliant can mean that you are open to being sued or fined.

How do I become compliant?

You have to ensure that the way you collect, use and store data meets the ICO guidelines and all GDPR rules.

To be compliant, you must look at all aspects of how you handle personal data within your business.

  • Collecting data lawfully
  • Sharing data lawfully
  • Holding and storing data
  • Managing data
  • Sales & Marketing & Websites
  • Destruction of data

These rules apply to both business and retail customers data.

What can happen if I ignore GDPR?

You can be sued, fined up to £18m, or worse

Many small businesses are now being affected by GDPR Claims. It is not just big fines that cause a problem.

  • Disruption to your business
  • Loss of income
  • Cost of fighting claims and the legal fees
  • Size of claims = £1,000 to £5,000 per customer
  • Fines up to £18m / 4% turnover

To ensure that GDPR claims are not going to negatively impact your business, you need to be compliant.

The Information Commissioner's Office

The ICO have the power to impose massive fines, regardless of the size of your business.

£5,000 could be a massive fine to a small business and create serious difficulties for them. Whereas £100,000 could be negligible for a large business. The term 'massive' is relative - but whichever way you look at this, fines can have a massive impact on a business, not just financially, but also commercially.

What can happen to directors?

Directors can become personally liable to shareholders.

That means their houses, cars, savings, shares and pensions are personally at risk.

As a limited company, can't I just liquidate my business?

No. Unlike when a company gets into financial difficulties, for GDPR liquidation is usually not an option.

Data and your supply chain

It is an essential requirement of GDPR that each business reviews the GDPR compliance status of all those in its own supply chains, both up and down, to make sure all the personal data that flows through those chains is safe and handled correctly.

The benefits of being compliant

If you understand GDPR and implement the ICO guidelines and rules into your business, it can bring real advantages.

Ensures business security

By being GDPR compliant, you are protecting your business against all the cost and disruption that comes from being sued or fined.

Even if you do survive the expense, these cases can take many man-hours and a great deal of stress to deal with.

Ensures customer security

When you are holding people's personal data, you have an obligation to keep it secure.

Imagine being forced to tell all of your customers that their data is not secure with you

If you lose personal data, you have to inform those who's data you have lost about the breach (unless fully encrypted).

Customer confidence

Clearly demonstrating that you are GDPR Compliant can give you a competitive edge

Just as we now automatically look for the padlock of security on websites when we are ordering goods, we are all becoming more aware of how a site should look if it is GDPR compliant, and we will become increasingly aware of this. The Data Guardsman software ensures that your business will have the marks of compliance as well as the demonstrable outward signs of being GDPR aware.

The importance of GDPR compliance for B2B

Many businesses are now looking to ensure that their suppliers are GDPR compliant.

Being GDPR compliant gives businesses a competitive edge as a recent report by CapGemini confirms*. It said that although businesses initially found compliance a cost and a pain, after it was done they found staff morale, customer retention, and profitability increased.


Gain peace of mind

There are not many business owners who want to go to the trouble of ensuring that their organisation is GDPR compliant. Once it is completed, it does bring real peace of mind.

Protect the value of your business

If you ever plan to sell your business, being non-GDPR compliant can have a serious impact on its value. In more and more business sectors, checking on GDPR compliance will be an important part of due diligence.

Happier staff

Uncertainty over how you are using personal data may not just be restricted to your customers. Many employees are becoming concerned over how data might be being misused.

Becoming GDPR compliant shows a real level of care and professionalism to your staff as well as your customers.