Esme Loans is closing and is not accepting any new loan applications. The Esme team will continue to serve our existing customers who have a loan with us. Existing customers can continue to log into their Customer Dashboard as usual to manage their loan with us.

If you have any questions, please email and the team will be happy to help.

How Does GDPR Affect Small Businesses?

Read our tips on what small businesses need to understand about the world of GDPR and how GDPR best practice can be implemented within an SME.
How Does GDPR Affect Small Businesses?

Updated on 23/11/2020

We live in a digital age, in which our online activity leaves a ‘digital footprint’ on the web. As we shop for products, sign up for offers and discounts, and choose which YouTube videos to watch, algorithms work behind the scenes to collect our data and build pictures of us as consumers.

This data can then be used by various companies in their marketing and sales activity, which can have benefits to you as a consumer. If, for example, you share your email address with your favourite clothes brand, they may send you some favourable discount offers as part of their remarketing activity. There can also, however, be some downsides to sharing personal data.

As a consumer, it’s impossible to remember every online form you’ve filled out, and it’s difficult to gauge whether you’re happy with exactly how companies are using your data. That’s why General Data Protection Regulations (GDPR) were invented. It’s a 2018 update on European Law which decrees how data should be stored, accessed, and shared.

So, ‘what does GDPR mean for my business?’ you may ask yourself. That’s exactly what we’re going to answer in this article, in which we’ll:

Firstly, then, what is GDPR?

What is GDPR?

Link defines GDPR as ‘the toughest privacy and security law in the world’. It’s a collection of hundreds of pages of legal requirements that companies must comply with in order to ensure that consumer data is properly handled, stored, and used.

A key feature of GDPR law is that it outlines individual rights; determining the control an individual should have over their own data as far as understanding what data companies are storing that pertains to them. There’s also guidance on how to protect children’s data, handle criminal offence data, and strict regulations that require businesses to secure consent from customers while in the process of data capture.

How to comply with GDPR as a small business


So, what’s the practical impact of GDPR on a small business? How can you ensure that your practices are GDPR compliant?

A good place to start would be to identify the data-touchpoints within your business. If you run a subscription service, what data are you collecting on your customers? If your marketing activity includes giveaways or competitions that require customers to fill out forms or agree to terms and conditions, there’s a key touchpoint you need to focus on.

Also investigate how you process and handle data. Are you storing customer data securely? Is the data you’re storing up to date and relevant? You should ideally be able to describe your data collection process as a timeline, from the first touchpoint where you acquire data to the end goal of deleting customer data when it’s no longer required.

Essentially, GDPR compliance for small businesses requires that you identify your own data processing methods, take responsibility for the processing of your customers’ data, and process data in a way that’s consistent with key GDPR principles. Let’s take a look at exactly what those principles are.

Key GDPR principles to be aware of


You can read a full guide to GDPR on the government’s website, however here’s our condensed summary of the key principles you need to be aware of within GDPR.

Lawfulness, fairness, and transparency


The processing of data by a company must be lawful, fair, and transparent with regards to the individual. That means handling data in a way that’s legal and committing to informing customers of how you’re handling their data if necessary (certainly if they were to ask).

Limiting the purpose of data collection


Data should be collected for specific, legitimate, and explicit purposes. For example, if you run a giveaway on social media designed to promote your brand, it’s fine to capture entrants’ data given you provide them an option to consent and they understand how you are going to process their information. It may also help you to gain a better understanding of who your social audience is, meaning that data may prove extremely helpful. But you shouldn’t then look to use that data for other purposes after the fact.

Data should not be used and further processed in a way that compromises the initial intent behind your data collection. That said, further ‘scientific, historical research, or statistical purposes’ could constitute fair usage.

Data minimisation


Essentially, be specific with the data you’re looking to collect. Ensure that it’s directly relevant and limited to the exact purpose of your data collection. For example, if you’re collecting data to improve your mass-market advertising for a specific product range, trying to acquire data on customers’ criminal histories would not be relevant to your goal.

Data should be kept up to date and accurate


Companies must ensure that every reasonable step is taken to erase or rectify personal data without delay, and also to keep data as up-to-date and accurate as possible.

Storage limitations


Essentially, identifying personal data should only be stored for as long as necessary based on the purposes for which the data was originally collected. This principle is intended to safeguard individuals’ personal rights.

Confidentiality and integrity


Naturally, the processing of data must be conducted in a secure way that doesn’t compromise the integrity of the data set. It could be disastrous if a customer’s personal data were to be accessed unlawfully due to your companies’ failure to protect sensitive data with passwords, for example. Alternatively, sharing confidential customer data in an email chain that has external parties cc’d in that are not employed by your company could constitute a data breach.



As a business owner, you must make it clear who within your business is accountable for ensuring compliance with these GDPR principles. Someone must take responsibility for data processing by law.

Building a GDPR policy


Incorporating these key concepts into your small business’ GDPR policy is likely to promote best-practice data handling which you can proudly inform your customers of. Being a company who places importance on having a solid GDPR approach is something you could include in your marketing activity, and perhaps even include in the ‘about us’ page on your website. Customers may feel more comfortable knowing that you take GDPR seriously.

The principles above aren’t the full GDPR picture, though. It may also be worth scanning Chapter III of GDPR, which concerns an individuals’ rights. Essentially, customers should be able to contact you and ascertain exactly what data you hold over them.

If a customer contacts you to request that you delete their data, you may be required to oblige and remove all identifying data. This includes items like spreadsheets, and even email interactions that contain identifying data. Not to mention that you’re legally required to erase old consumer data after a period of time in line with the accuracy principle.

What happens in case of a GDPR breach?


The ICO is an independent body set up to uphold information rights. Their guidance notes how in case of a GDPR breach, you are legally required to inform those affected without delay. If there’s a significant chance that there’ll be negative consequences as a direct result of the breach, then it’s incredibly important that you let customers know immediately and take steps to resolve the issue.

GDPR - Frequently Asked Questions


Let’s take a look at some quick answers to common GDPR questions.

What does GDPR stand for?


General Data Protection Regulation.

What are the 7 principles of GDPR?


The European Union define the key principles as:

  • Lawfulness, fairness, and transparency
  • Purpose limitation
  • Data minimisation
  • Accuracy
  • Storage limitation
  • Integrity and confidentiality
  • Accountability

When did GDPR come into effect?


GDPR came into force in the UK on the 25th May 2018.

Who does GDPR apply to?


GDPR regulations apply to every EU citizen and company. This is still the case during the Brexit transition period, and whether the regulations apply afterward depends on UK-EU negotiations.

How to report a GDPR breach?


Aside from actions such as informing your affected customers of a breach, it may be wise to report a GDPR breach to the Information Commissioners Office.

GDPR was incorporated into UK law through which act of parliament?


Through the Data Protection Act 2018 – which you can find here.

How to make your website GDPR compliant


Beyond the data processing principles outlined above, make sure that you give customers the option to consent to providing their data when you ask for it. Following this key principle requires that you have terms and conditions set up on your website that outline how you’re going to use the data.

How does GDPR affect marketing?


In a whole host of ways. If you’re running any form of data collection (such as giveaways, competitions and promo offers), you need to ask give customers the option to consent to providing their data. This is a legal requirement and affects a whole host of marketing activity, which is why many organisations both small and large elect a GDPR officer (typically within the HR team) to ensure that best practice is implemented.

Is there any GDPR lingo I need to be aware of?


The legal language used within GDPR includes a few pieces of jargon that it may help to be aware of. This includes:

Data controller – The person responsible for determining how data will be processed in your business.

Personal data – any information that could identify a customer either directly or indirectly. Demographic and technographic data is a typical example of this; do you store information on a customers’ age, gender, or shopping habits?

Data processing – The act of storing, analysing, and using customer data.

Data processor – The individual within your organisation who handles data personally and determines how it should be used and stored.

Data subject – the individual with whom data is concerned. Typically, this will be a customer however it could also be an ex-employee.

How could Esme help?

These are difficult times for many businesses, so it's important now more than ever to take good care of yourself and your team. If you're concerned about your business being impacted financially due to coronavirus, visit our FAQs page for information about how we may be able to support you.