Data protection challenges as SMEs unlock
Antonio Fletcher, Partner at Brachers LLP provides some insight and tips on what you need to prepare for when re-opening your business post lock-down.

As lock down eases and businesses begin to take their first steps back to normality there are a number of things to consider to ensure that you have done all that is necessary to meet Government guidance, to provide a safe environment.

Whilst much of their focus will have been on physical alternations that need to be made to their environments, many small business owners also need to be conscious of the need to take and retain customers’ contact details for 21 days. This is a crucial part of contact tracing aimed to reduce the spread of COVID-19.

The collecting and holding of such data will constitute data processing and will be governed by existing data protection laws which were brought into effect by the Data Protection Act 2018 which implemented the European General Data Protection Regulation (GDPR).

Enforcing the GDPR

The Information Commissioner’s Office (ICO) is the UK’s regulatory body for data protection matters and is responsible for the enforcement of data protection law here. The ICO has issued guidance to businesses regarding their obligations in these new circumstances. It is clear from this guidance that they recognise that some of the businesses expected to comply with these new rules will be amongst the least experienced in handling personal data and the requirements of data protection laws. It is, however, equally clear that the ICO expects data protection laws to be complied with. Businesses should therefore ensure that they are giving due consideration to their obligations in this area.

Reviewing existing policies

Businesses affected by the new rules on retaining customer details who already have processes and procedures for the processing of personal data should review these. This is to ensure that they are fit for purpose for the current circumstances.

Those that have not up until now implemented procedures and processes or who have not registered with the ICO as a data processor should do so now to ensure that they are legally compliant.

What businesses should be aware of


Failing to comply with data protection laws can leave businesses and individuals who process personal data open to substantial financial penalties if breaches are reported to the ICO. It is therefore important that businesses comply with these requirements and are aware of their obligations. This includes:

  • Being clear, open and honest with people about why you are collecting their personal data
  • The need to store personal data securely
  • Collecting only the personal data that is needed and no more than is necessary
  • Not utilising the data collected for any other purposes or sharing it with other parties
  • Keeping personal data for no longer than is needed and disposing of it securely
  • Responding to data subject access requests
  • Reporting data breaches to the ICO within 72 hours

The ICO’s guidance provides SMEs with a good foundation to ensure that they are doing the basics right, but some businesses are likely to require a more tailored approach to help to guide them through these obligations. It is important that businesses seek the correct level of support based on their levels of knowledge and the type of data processing they will undertake.