GDPR one year on: make sure your small business is compliant

Originally written by Chris Cook on Small Business

Despite the EU implementing strict rules around data protection last year, some SMEs haven’t made changes to be compliant, putting themselves at huge risk. GDPR one year on and some small businesses are still exposed. Overlooking it could have costly repercussions by way of hefty fines and reputational damage.

On May 25 2018, the EU introduced its biggest transformation of data protection legislation with the introduction of the General Data Protection Regulation (GDPR).

Although most businesses were making sure they were compliant in the months leading up to its enforcement, many businesses (including SMEs) weren’t GDPR-ready.

See also: What does GDPR mean to me and my business?

Small businesses may consider compliance with the Data Protection Act 2018 (“DPA”, which incorporates the GDPR in the UK) to be another administrative burden and, due to their business’s size, by keeping fingers crossed and ignoring it, it might disappear. This isn’t the case; all businesses that process personal data are subject to the DPA.

Organisations found in breach of the DPA face administrative fines of up to 4pc of their annual global turnover or €20 million (whichever is greater).

GDPR one year on

Since the GDPR came into force, fines have been distributed across the EU, with smaller organisations also falling subject to scrutiny.

Small businesses get fined too

For example, in March this year, the Polish Personal Data Protection Office levied a €200,000 (£180,000) fine to a small digital marketing company (Bisnode). The company failed to action the GDPR requirement to inform data subjects of data processing activities. At the other end of the scale, Google was fined €50 million (£44 million) in January by the French Data Protection Authority (CNIL) for violating its obligations around transparency and appropriate user consent on its website.

See also: GDPR one year on – what fines have been issued so far?

The new laws were designed to keep all businesses better protected and face security breaches effectively. An SME should be doing the following to ensure they’re processing data securely in line with GDPR one year on.

6 steps to ensure you’re GDPR compliant

Update policies and procedures

The individuals’ data your business uses must be informed through a privacy notice of the personal data types you hold relating to them; how their personal data is to be used; and for what purpose(s).

An internal-facing data protection policy (a privacy standard) should be implemented. It should set out principles and legal conditions you must satisfy when obtaining, handling, processing, transporting or storing personal data and provide for customers, client, suppliers and employee data. An updated policy will demonstrate how your organisation processes personal data and make employees aware of their obligations.

Businesses are required to review contracts with third parties where the processing of personal data is involved and ensure they’re updated with each parties’ obligations, whether as a data controller or data processor.

Educate your organisation

All employees need to be aware of their data regulation obligations. Keeping them trained on your new policies, notices and procedures will ensure they’re followed consistently and promptly. In some organisations, a data protection officer must be appointed for formulating and implementing strategies on data processing and keeping the organisation educated. However, SMEs may not have capacity to make this appointment, due to lack of resources. If so, it’s worth outsourcing a legal data protection expert to ensure everyone knows their responsibilities.

Re-evaluate consents

The DPA sets a high standard for consent. It must be explicit, freely given and unambiguous. Review your organisation’s consent mechanisms. In particular, make sure approval requires an affirmative “opt-in” action. This bans pre-ticked boxes as a legitimate form of giving consent, since no positive indication can be provided. It’s advisable to keep consent separate from other T&Cs and it shouldn’t be a precondition of signing up to a service. You must notify individuals about their right to withdraw consent, offering them easy ways to do so at any time.

If your existing consent mechanisms comply with the DPA, you don’t need fresh consent.

The right to be forgotten

A new rule under the DPA is the right to have personal data erased (“the right to be forgotten”). Although the right only applies in certain circumstances, your organisation must have the capability and procedures to comply with such requests. You’ll have one month to respond substantively.

Subject access requests

Every individual has right of access to their data and you’ll need suitable procedures to deal with subject access requests. In the employment setting, access requests are made in ongoing disputes or tribunal claims. Requests are increasingly made by individual customers who are dissatisfied with customer service. An individual may genuinely wish to see what personal data is being processed and if it’s accurate. Others make requests because of the time, effort and expense they can cause, and to achieve a settlement. Regardless of motivations, be helpful, respond substantively within a month (as opposed to 30 days under the old legislation) and provide the data in a machine-readable format. Under the DPA you aren’t allowed to charge a fee, save in limited circumstances.

Responding to data breaches

It’s essential employees are fully trained, equipped to understand and recognise what constitutes a data breach. Your data manager or data protection officer will need specialist training around responding to a data breach.

Employee error is highly likely to cause security threats in SMEs and you will need to adopt internal procedures and require the same from third-party processors to deal with data breaches. Include how to identify a data breach, how it will be investigated and how to perform an assessment of the implications. Remember certain breaches must be notified to the information commissioner within 72 hours of when it was discovered, and the affected data subjects must be informed where there is a substantial risk of harm.

Small businesses should take actions to ensure their data is securely managed and those that comply with the GDPR one year on will not only avoid potential fines and reputational damage, but will find their data handling, compliance processes and contractual relationships are robust, reliable and will keep their business secure for years to come.

Chris Cook is a partner and head of employment and data protection at SA Law

Further reading

GDPR and Brexit – 5 steps your small business can take

 

GDPR one year on: make sure your small business is compliant

Source: SmallBizUK

The essential guide to starting a business in Oxford

Originally written by Anna Jordan on Small Business

Oxford is becoming an increasingly desirable location for starting a business.

It’s within easy reach of other business hubs like London and Bristol, has a rich history coupled with grand architecture and is a real treat for literature fans.

Before we talk to the local small business owners, let’s look over some of the city’s key characteristics.

Population

ONS mid-2018 population estimates had the population of Oxford at 687,500. Said population is ageing, with the number of people aged 85+ expected to increase as much as 63pc by 2032, according to the Oxfordshire Joint Strategic Needs Assessment. However, planned housing growth is expected to create a significant increase in the working age and younger populations. What’s more, the university means there’s a high rate of people aged 20-24 living in Oxford city.

Crime rate

The crime rate in Oxford is about the same as it is in similar areas. In the year ending December 2018, it was 105.22 per 1,000 population – around the same level as Northampton (105.79) and Reading (102.71).

As you might imagine, bike theft is more common than in other UK cities. Thames Valley Police says that 1,816 bikes were stolen last year. That’s around five bikes per day.

House prices

Most house sales in Oxford over the past year have been semi-detached properties with an average price at £507,303, according to Rightmove.

Tourism

Oxford attracts seven million daytime and staying visitors per year, generating £780m of income for local businesses.

Transport links

Bus services run all around the city or you can jump on Stagecoach services to Bicester Village, Milton Keynes, Bedford and Cambridge.

Oxford has two train stations: Oxford Train Station and Oxford Parkway. The former runs regular services to London Paddington, London Marylebone, Reading and Birmingham New Street. Oxford Parkway goes to London Marylebone via Bicester Village.

The city doesn’t have an airport so your nearest options are London airports (Heathrow, Gatwick, Stansted, Luton and City) or Birmingham Airport. Heathrow and Gatwick have direct coach services to Oxford which run 24 hours a day.

Funding

Oxfordshire Business Support is the first place to visit for SME funding. It has the Elevate Grant which is made up of two offerings, one of which is for start-ups. You just need to have fewer than 250 employees and be based in Oxfordshire. The grant will be £1,000-£3,000 and is intended for job creation, start-up and growth.

OxLEP offers grants too but none were available at the time of writing.

Read: 150 UK small business grants to apply for right now

What the entrepreneurs made of starting a business in Oxford

We asked three small businesses about their experiences of launching in Oxford to give you a greater sense of what it’s like.

Mike Roberts, founder of LegalShield, explains why the company chose Oxford as its UK base.

Mike runs LegalShield in Oxford

We have a few reasons for starting in Oxford – a couple of them quite obvious, I think. First of all, communication. Even today, the best method of communication is face-to-face, so it’s great to be situated where we are. It’s relatively easy to get here by road and it’s easy to get here by rail.

Oxford has really become a technology hub over recent years thanks to the science park as well as the business park. So, there’s a good level of IT support available which is incredibly important for businesses.

Sure, it’s more expensive than other areas of England, but it’s certainly less expensive than London.

Why Oxford wins over the capital

A couple of reasons again, not least of all the fact that it’s easier to commute in and out of Oxford than it is to London. I worked in London for seven years – this is definitely a nicer environment. Truly, when I looked at opportunities to set up in London or Oxford, I was struggling to think what the advantages of being in London are. I think the opportunities these days to work outside of London have become much more attractive.

Plus, Reading is already very busy and difficult to commute in and out of. There was no reason for us not to be in Oxford.

We now employ a dozen people here. The plan is that in 18 months’ time the employee base will double. At this point I don’t envisage that being a problem at all.

I also think it’s because of the types of roles that we’re looking to fulfil. Some of them are technology-based, some of them are people-based, some of them are training and education-based. Of course, when it comes to things like training and education, you couldn’t be in a better hub than Oxford. We’ve attracted a couple of people from the university and seven members of staff are local. We’ve already got a very strong team together.

The importance of outsourcing

We’re a start-up in our own right. There’s only so much you can do in-house and we need support with some other elements. The design of our website and the design of our apps is outsourced. We’re also using a local call centre for incoming calls. There’s the opportunity to outsource for all small businesses, especially start-ups. That’s a great way of making things cost-effective rather than adding it to your fixed cost base.

Because Oxford has this amazing tradition in education, people have got their eyes and ears open and are accepting of the need for change. The business enterprise here is very strong and the number of start-up businesses in Oxford over the past 18 months has been quite considerable.

The owners of the business park have been very supportive of us coming in. When we arranged our contract to take our office, they came up with some very flexible terms for us.

Ann Whorral runs Olivia May, a fashion boutique in Oxford. She thinks the city is an exciting place to live. 

I absolutely love it here! Oxford is a cosmopolitan city, as well as a huge draw for tourists, so it felt like the perfect location for a fashion boutique to showcase the work of international designers. It is such a beautiful city, with plenty of places to eat and lots of events happening all the time. It’s a real destination location that provides plenty of opportunities for people to get dressed up.

Its well-developed infrastructure allows a constant flow of people living, working and visiting, which for a retail business is so important.

A city fit for the fashion industry

Oxford also blends the classic with the modern, so it’s perfect for the Olivia May brand. We encourage people to shop ‘the old-fashioned way’ by buying classic, quality pieces that last and have a distinctly modern sense of expression.

As a vibrant university city, it is packed with creative young people seeking opportunities in the fashion industry. My job is to make sure that Olivia May has appealing career paths to offer.

My background in education has proved invaluable in relation to finding, recruiting and retaining talent. I have always had a passion for working with young people and one of my favourite parts of the job is nurturing talent.

Of course, some employees will move on after working with Olivia May, but if that’s what’s right for them, that’s great. I support my team to develop and thrive in their careers. Many do stay and those that move onto other things create space for me to welcome new people on board.

I have been in business five years now and start-up funding opportunities change all the time, but I do know that there is plenty of excellent business support available. The universities, the Chamber of Commerce and the council all offer lots of advice and support for those planning to launch a business, such as the Startup Incubator provided by the University of Oxford as well as advice and guidance from Oxfordshire Local Enterprise Partnership (OxLEP).

‘Life in Oxford is special’

Life in Oxford is special. It is a cultural hub and beautiful city to spend time in. Lots of people seem to agree because it is one of the top tourist destinations in the country.

The retail sector is strong here as well; I have noticed it growing and thriving in the time since I based my business in Oxford, in a way that definitely bucks national trends. For Olivia May that’s partly down to the appeal of the destination but mainly in getting our offering right and providing a retail experience for our customers.

But it also speaks volumes about the incredible business support we have here. Start-up businesses have a higher rate of success in Oxford than they do in many other parts of the country – that’s a great testament to Oxford’s entrepreneur community. There is no shortage of opportunities for business owners to network and seek support with groups such as Thames Valley Chamber and Oxford Business Network. The community has been a great help to us over the years and I am pleased to be a part of it.

Holly Pither set up Tribe PR in the outskirts to give her more space to write and spend time with her family.

 

For me the key was being able to work more flexibly around my family (baby daughter and husband). Being in PR, I really don’t feel that it matters where I work. My clients are based all over the UK and as long as I can travel to see them face-to-face and do regular Google Hangouts then location isn’t an issue.

Transport links around here are good, with trains out of Oxford Parkway, Oxford city itself and of course Didcot, Bicester and so forth.

We have two great universities nearby which is great for grads coming into the industry. Plus, if we can’t do something here at the agency, then I will look to my tribe of people to help nearby. Most of them work locally and their skills are exemplary. And because they’re based out in Oxfordshire, rather than in London, they can keep their costs at a sensible rate too.

I would say that Oxford’s main industries include motor manufacturing, education, publishing, information technology and science. We have quite a few science parks located here and of course the Harwell Campus too. It’s a hive of activity for young people and I love being inspired by all the great people doing innovative new things.

Living outside the city

I live right out in the sticks in a little village, so the peace and tranquility are perfect for writing and having time to think strategically. The quality of life is great too. While I may live in a tiny village, I have been surprised at how many like-minded professionals are on my doorstep. I met one person in an online networking group, only to find out he lived less than a mile away.

There are a number of networking events locally in both Oxford and Cheltenham too, and with the universities and Saïd Business School nearby we are so well served for great events and inspiring sessions that surprise and delight in their content.

Networking groups range from industry focused groups covering off-topics like sustainability and climate change to female networking groups like Mumpreneurs Oxfordshire, which I have attended on a number of occasions.

There are also some great venues to work in too. One of my favourites is Quarters Collective, which is a fantastic co-working space with wonderful coffee, great cake and a lovely working environment. They also put on some great events in the evenings.

It’s worth the extra effort to find contacts

Get out and network as much as possible. I found I really had to push myself to get out there and attend events since I moved away from London. Given they’re not always nearby and you need to think about logistics and travel a little more, it can be easier to be a avoid them altogether. But this is completely the wrong approach.

There are some amazing events locally and some fantastic people to meet who can form part of your tribe, so get out there and get connecting.

How about starting a business in another UK city?

The essential guide to starting a business in Bristol 

The essential guide to starting a business in Birmingham

The essential guide to starting a business in Belfast

The essential guide to starting a business in Cardiff

The essential guide to starting a business in Newcastle

The essential guide to starting a business in Leeds

The essential guide to starting a business in Glasgow

The essential guide to starting a business in Oxford

Source: SmallBizUK