A guide to data protection for small businesses
  1. Blog
  2. Day to Day HR
  3. A guide to data protection for small businesses

A recent survey carried out by GDPR.EU revealed that only 36% of small business owners believe that their organisation is mostly compliant with the GDPR (General Data Protection Regulation) passed in May 2018.

We know that when you’ve already got a lot on your plate, as a small business owner it can seem completely impossible to navigate data protection rulings and make sure you’re doing everything you can to comply.

However, it’s essential that you stay well informed about what you need to do in order to avoid possible penalties and ensure you’re seen as trustworthy by your employees and customers.

We’ve put together a guide to help you understand the need for GDPR compliance, and what you need to do to stay on top of data protection in the workplace.

In this data protection guide for small business, we’ll cover:

What is GDPR?

GDPR refers to the new set of European data laws brought in last year to replace the previous Data Protection Act 1998. The GDPR is a lot more detailed than its predecessor, with much stricter penalties for businesses that don’t comply.

The intention of the new rulings is to allow individuals more control over their personal data and make clear to organisations that they have a responsibility to protect the data that they have access to.

Does GDPR apply to small businesses?

Despite common misconceptions, the answer is yes, GDPR does apply to small businesses.

Although organisations with under 250 employees don’t have as many guidelines to follow as big businesses, it’s likely that you’ll still be storing or using the personal information of employees and/or customers.

This means that you’ll have to create policies and procedures in order to protect that data, as well as informing people about where it will be stored, how long for and why.

See how our software can help

Our HR Software will help you save hours on HR admin.


Why is GDPR compliance important?

For small businesses, the most important reason to comply with data laws is to avoid the penalties. The maximum fine for a severe infringement of the GDPR is €20 million (about £18 million) or 4% of annual turnover, whichever is the greater. This is an especially harsh penalty for small organisations, who are possibly still aiming to create a profit.

Another reason to ensure good data protection is that it will create trust in both your employees and your customers. Both groups want to know that their private information is as safe as possible in your hands, and that you’ll always be open and honest about how it will be used.

For employees, this will make them feel valued within your company, and could contribute to a boost in morale and performance. For customers, it will improve confidence in your brand and make them more willing to spend money and continue to work with you.

Return to top

A GDPR compliance checklist for small businesses

Here at citrusHR, we follow the system of seven key GDPR principles laid out by the ICO (Information Commissioner’s Office). This checklist of principles makes the topic much easier to understand and remember.

The essential principles of GDPR compliance are:

1. Transparency

Right from the start, it’s essential that you’re always truthful and open about how you will be using people’s personal data and why. All documents and privacy policies should be written in clear, plain language that’s easy to understand and accessible to all.

Individuals have certain rights surrounding their personal data, two of which are the ‘right to be informed’ and the ‘right to access’. This means a person should be told about how their data is being used, and be able to request a copy of all their data that you have stored.

You shouldn’t try to make it difficult for customers to withdraw their data, as it will affect their trust in your brand.

2. Minimisation

Data minimisation means only collecting personal data that is relevant and necessary to fulfil your purpose. To do this, you must first decide on what the minimum amount of data you need for that purpose is (see below). You should hold that much information and no more.

Regularly review the amount of data you have for each individual and decide if it is still necessary to keep. If not, ensure you delete it, so as to comply with the data minimisation principle.

Every person, in certain circumstances, has the ‘right to be forgotten’, which means they can request that you delete all of the data you hold about them.

3. Purpose Limitation

Whenever you need to access and store a piece of personal data, you need to define your purpose for processing it. This will help individuals to understand how their data is being used and decide if they are happy to share their details with you.

Although as a small business you might not have to keep records, it’s still best practise to document how you are complying with the GDPR. You will also need to lay out the purpose for processing personal data in your privacy information.

If you discover that you need to use some data for another purpose that you did not originally document, you can only do so if:

  • the new purpose is compatible with the original purpose (e.g. if they are similar and won’t negatively impact the individual)
  • you get the individual’s specific consent (which can be revoked at any time)
  • there is a legal basis, for example, a new function for a public authority

Special category data is any piece of personal information that is extra-sensitive, for example medical information. To be able to process this type of data, you need to have both a legal basis and a separate category condition, which can be chosen from a list of ten options.

4. Retention

The principle of data retention ensures that you only keep a subject’s personal data for as long as necessary. This period of time could vary according to what you are using the data for, which will need to be defined (see the purpose limitation principle).

You must be able to justify why you are keeping the data for as long as you are. A good idea could be to create a standard policy of retention periods for each type of data, which can be adjusted if needed.

With HR software, personal data can be deleted automatically after a set period of time, which means that you won’t have to go looking for it. This will help to save time and stress, while ensuring your compliance with this principle of the GDPR.

In some cases, you can keep personal data for longer, for example for public interest archiving, scientific or historical research, or statistical purposes.

5. Security

To practice good data security, you need to make sure that all appropriate measures have been taken to ensure people’s personal data is safe. To do this, you must consider the safety of your building itself, of paper documents and of your IT equipment.

Carry out a risk analysis to identify any areas where data security could be lax. Are files left on desks when not in use? Are all computers password protected? It’s best practice to install HR software in which documents can be stored safely, and to use encryption to minimise the risk of sensitive details being read by the wrong person.

Another element to consider is any third parties you may share data with, for example if you sub-contract your payroll to another company. We recommend creating a data sharing agreement between your business and any third-party business to lay out the expectations and responsibilities of each in terms of GDPR compliance.

Take care to regularly review your safety policies and procedures to ensure they’re still effective and fit for purpose.

6. Accuracy

It is an employer’s responsibility to make sure the personal data they hold is not misleading, which means keeping it accurate and up to date. Carrying out periodic checks and audits on the data you have will help you to recognise any discrepancies or errors. It’s a good idea to document any changes you make to the data.

Individuals have the ‘right to rectification’ if they believe any data you are holding about them is inaccurate. Having HR software means that employees can log in and change some personal details such as their home address themselves, which cuts down on admin time for employers.

7. Accountability

As an employer, you’re responsible for ensuring your business stays compliant with the GDPR, so as to protect your employees and customers from harm. This involves creating effective data protection policies, implementing security measures and reporting any data breaches.

Data breaches which pose a risk to an individual’s rights must be reported within 72 hours to the ICO. However, you can significantly reduce the risk of a breach happening by training your staff to follow your policies and use common sense to keep personal data safe.

Reiterating simple measures such as not clicking suspicious links in emails, shredding confidential documents when no longer needed and password protecting documents can go a long way to preventing a serious data breach.

Return to top

How long to keep employee records

As stated above in the ‘retention’ principle, you should only hold personal data for as long as you need it to fulfil a purpose. However, there are some general guidelines to follow if you’re unsure about what length of time is appropriate for each type of data.

Some are best practice, whereas others are down to your own discretion and purpose. Make sure you seek advice and confirmation if you’re uncertain about when to get rid of any records.

For past employees, the general rules are:

  • P45/P60, personnel files and training records – 6 years
  • Payroll, maternity and paternity – 3 years
  • Working Time – 2 years

After an employee leaves, don’t think you can immediately wipe them from the system because you won’t need them anymore. Its possible that they decide to bring a tribunal claim against you, which would require access to data. The employee could also request a copy of all of the information you hold about them, which you would need to adhere to within the GDPR.

For job candidates who are unsuccessful, it’s a good idea to keep their data on file for at least 6 months after they apply, just in case they make a discrimination claim. If for any reason you need to keep the data for longer, you must ask for their explicit consent.

To sum up

Although there’s a lot to take in, it’s so important to do all you can to ensure that your small business complies with the GDPR.

Remember, the data you store should be:

  • communicated clearly to individuals
  • only the amount that is needed
  • for a particular purpose
  • only kept for as long as needed
  • kept secure
  • up to date and accurate.


Our HR software provides a secure place to store data, which can then be pulled out easily if requested by an individual. The software can also generate privacy policies to be signed by your employees.

Get in touch on info@citrushr.com or give us a call on 0333 014 3888 to find out more about our easy to use HR Software.

Or start your free trial today.


The content of this blog is for general information only. Please don’t rely on it as legal or other professional advice as that is not what we intend. You can find more detail on this in our Terms of Website Use. If you require professional advice, please get in touch.

You might also want to read these articles

Get help with your HR

Take the stress out of HR with help from our friendly experts and easy to use HR software.
Find out more


  • Get free employment law alerts

    Keep up to date with employment law changes that might affect your business.