We asked John Giles, a lawyer from Michalsons law firm, to share the most important tips for small businesses who need to manage personal data and privacy. Here’s what he had to say.

As a small business owner, the list of things you’re responsible for can seem endless. If your business processes personal data, one of the most important items on your list should be how to protect this sensitive information. Most data protection articles are intended for large organisations (like banks and healthcare providers), so we’ve compiled the top tips for small business owners as your requirements are very different.

The impact on your business

The impact of data protection will differ from one business to another, depending on the amount of personal data your business processes. If you sell ice-cream to the public from a physical store, you probably won’t need to ask for (or store) any of your customers’ personal data. The impact on your business in this example is low. However, if you’re developing an app that helps people get fit and stay healthy, you’ll require a lot more personal data. In essence, if processing personal data is a key part of your business model, the impact of data protection and privacy on your business will be high. 

Small business exemptions

There are many things that small businesses are (or should be) exempt from having to do. Don’t get caught up doing things you don’t have to. For example, you probably don’t need a data protection officer or an active information officer. You probably don’t need a PAIA Manual. And you almost certainly don’t need a record of your processing activities. Over time, the information regulator may increase the exemptions for small businesses. 

Focus on the important things

Focus on the essentials for your business. If you have a mailing list for email marketing that brings in lots of business, make sure you’re getting it right: enable people to opt-out and be careful who you add to the list. If you’re a B2B business and you process personal data for other businesses, be sure to build trust by assuring them that you protect the personal data you process for them. The clauses in your contract dealing with personal data, confidentiality and intellectual property will be important. 

More than a privacy policy and training

Many organisations think that data protection compliance means having a privacy policy and training their employees. Those are two important aspects for many small businesses, but they’re not the whole story. A privacy policy explains to your customers how you process their personal data, and what you’ll do with their information, once they’ve given their consent. The employees who actually process this data need to understand your privacy policy and what they should and shouldn’t be doing.

But data protection compliance is so much more than just a privacy policy and internal training. There are other things you will need to do: secure the personal data, compile consent forms, only transfer personal data to another country if there are protections in place, and tread carefully with children’s personal data and special personal data (like race and religion). 

DIY as much as possible

Getting a lawyer or consultant to help you is expensive. Data protection software is also expensive. So, try to do as much of what needs to be done yourself. “But I don’t know how!” we hear you say. Some authorities (like the ICO in the UK) give small business tools to use. At Michalsons, we offer a ‘Data protection for small business’ programme, which empowers small business owners with the knowledge and tools to do most of what is needed by themselves.  

The bottom line

The reason the law wants you to protect personal data is to protect people from harm. Cybercriminals use people’s personal data to steal their money, and payslips to steal the identity of employees. Direct marketers sometimes make a nuisance of themselves by marketing to people who don’t want to be phoned. Some may discriminate against people by knowing their race. 

By protecting people’s personal data, you’re protecting them from harm. None of us wants our actions (or inaction) to hurt others. With these tips, you’ll be able to do the right thing when it comes to protecting personal data.


About John Giles

John Giles is a Managing Attorney at Michalsons. He has years of practical experience applying his knowledge to organisations to help them grow and avoid legal problems, difficulties, or disputes. He always tries to add value to his clients and spends most of his time helping organisations comply with complex global data protection laws, like the GDPR, and POPIA). He embraces and uses technology to provide the best possible services to his clients.