PPI Principals of GDPR for Small Businesses: Navigating Data Protection

“So, all we have to do to implement these 11 chapters containing 91 articles in 261 pages of data protection regulation and all our worries about our clients, staff and suppliers’ Personally Identifiable Information (PPI) will be over?”

“Yes, that’s it.”

“Jess how long have you worked here?”

“Erm, 20 years since last spring. “

“How many people work here Jess?”

“About 60.”

“Jess, who is going to do it?”

“I don’t know, but someone has to!”

“It’s about IT isn’t it, Jess?”

“Well, it’s a bit more complicated than that…”

“Jess, you’re the IT person, come back when you have done it!”

Sound Familiar?

GDPR Requirements – The Must Do’s

The General Data Protection Regulation is a hard sell, even to a large organisation. Unfortunately, or fortunately, it’s a necessary one. Why? Here are just a few reasons:

  • You must obtain an individual’s permission to process their data.
  • You must ensure any data you collect and keep — is kept to a minimum, and is anonymous where possible and necessary.
  • You must tell the Information Commissioner’s Office (ICO) if an individual’s data was stolen or lost.
  • You must be careful of how you transfer data. This applies both in UK Law (under the DPA 2018) and in Europe (under the GDPR).
  • You must provide a mechanism that allows individuals to request what personal information you hold about them.
  • You need to ensure processes are in place to allow individuals to be “forgotten”.

These are just some of the directives included in the 91 Articles in the GDPR alone. When you consider that these are MUSTs, it can be a daunting read and one that sends shivers down the spines of SME’s IT directors.

And there is a very good reason why. Data Protection is not just about IT.

So Where Do You Begin with PPI Compliance?

A simple place to start is to define what your Information Assets are. Information about people is where you should start, as the primary goal of the GDPR is to protect the privacy of individuals and protect them from personal data breaches. It states very clearly that individuals have “the fundamental right” to privacy and data protection.

This is a very good thing. Just imagine a world where your data was not your own. Your digital footprint was at the mercy of everyone else. You had no rights to protect your anonymity and there was no way of finding out what information any organisation (be it law enforcement right down to a guy in his back bedroom sending out videos of his cat that you like) holds about you.

You might be feeling that this does not apply to you as a small business. You may also be feeling that what you do as a business means that you don’t process or control the information that the GDPR is concerned with. You may feel like the required security measures are unattainable in your organisation.

I am willing to bet a free day’s consultancy with Risk Crew that you process far more PII than you realise. Do you hold the names, phone numbers and addresses of customers? Then it applies to you.

It’s not all bad news. The regulation does make some concessions for micro, small and medium-sized enterprises.

“To take account of the specific situation of micro, small and medium-sized enterprises, this Regulation includes a derogation for organisations with fewer than 250 employees with regard to record-keeping. In addition, the Union institutions and bodies, and Member States and their supervisory authorities, are encouraged to take account of the specific needs of micro, small and medium-sized enterprises in the application of this Regulation.”

The Article that sits in the minute’s document on the European law site it’s not in the GDPR. It sits in Document 32003H0361. And herein lies the main problem. The reason GDPR and DPA guidelines are so impenetrable is that they MUST consider other laws and regulations (in many cases, ones that were written many years ago) that were in place before the regulations were implemented. For example, the aforementioned Document 32003H0361 was written into law on the 6th of May 2003.

What Does Document 32003H0361 Mean to You as a Small Business?

It means that the GDPR and DPA are both not written in a way that makes them easy to understand, let alone easy to implement. But there is a very simple way to cut the problem down into smaller chunks.

Make sure:

  • You know what data and information you are processing.
  • You understand what subset of this information and data is PII.
  • You establish what subset of the PII carries a special category PII.
  • You have the basic mechanisms in place to service the rights of the individual subjects of this PII.

Treat Data as If It Was Your Own

This may seem like scaremongering, but at its heart, the GDPR and DPA are there for the safe processing and controlling of your own personal data too! So, it makes sense to be both aware of it, and where you see other individuals’ data and information, you control and process it in a way that you would expect your own personal data and information to be managed.

The main issue in implementing Data Protection policies and processes in SMEs — is the time and resources needed. The aforementioned IT person “Jess” has now got a whole new tranche of work to do. What is even more frustrating is that Jess was right, it’s not just an IT thing. Just because a vast amount of business transactions are carried out using technology, these are only the container and carrier of the information. The contents are PII. These could just as easily be on a piece of paper in a sealed envelope being mailed somewhere, with the carrier being the Royal Mail, the container being the envelope rather than a packet of data being sent over fibre optic cable. Your responsibilities are the same because the content is the same — it’s someone’s Personally Identifiable Information.

Not Sure Where to Start Within Your Organisation?

If this all seems a bit too much to take on board. Why not ask for a GDPR gap analysis from Risk Crew? We talk in plain English, have done this many times before and are happy to help you and your “Jess” on their data protection journey.

If you don’t have an internal resource like Jess, we can provide a DPO as a Service option. This allows you to have a dedicated consultant as much or little as needed to help get your compliance on track.


GDPR Requirements



Risk Crew