Perhaps you’ve always wanted to start your own company. You struggled for years but didn’t give up, and now you’ve finally transformed your dream into reality. You have a fully operational and profitable business. As time passed and you built a good reputation, your customers started to trust you more, and you achieved a certain level of success.

Like most companies, you probably collect and store information on your customers. This can mean their names, email addresses and past purchases but, depending on your line of work, it can also extend to more sensitive data such as medical information, national insurance number or passport information.

From a legal standpoint, this information becomes your responsibility, and you must make sure it doesn’t fall into the wrong hands. In today’s digital world, that’s easier said than done. For a small business, cybersecurity can be a significant financial investment and one that doesn’t pay off as fast as, let’s say, buying new equipment. However, now that awareness around data protection is increasing, a solid cybersecurity framework can be a great selling point.

If you have a small business, you might get a false sense of security, thinking that you’re less likely to be an attractive target for cyberattacks. You see news of companies like and British Airways facing millions of pounds in fines for failing to protect customer information against data breaches, and you think that this is something only corporations need to worry about.

That isn’t the case at all. Because corporations usually have stronger cybersecurity protocols and trained staff, they’re more difficult breach. But small businesses are considered soft targets since they pose less of a challenge and often hold information that cybercriminal can use to break into larger companies. About half of cyberattacks are directed towards small businesses.

Furthermore, legislation concerning data protection such as the Data Protection Act 2018 and the GDPR or General Data Protection Regulation makes it abundantly clear that any size organisation that collects data from their customers will be held accountable for what happens to that data. Small companies are not exempt from this legal responsibility, and unfortunately, most do not allocate the necessary resources to handle this responsibility appropriately. This is why data breach law is rapidly gaining traction in the UK.

Data Protection in the Age of Digital Transformation – Not a Simple Task

The GDPR was drafted by the European Parliament, the Council of the European Union and the European Commission to replace Directive 95/46/EC, a key piece of EU legislation that sets personal data protection standards. Legislative changes had become necessary due to technological advances.

The revised regulations are more in line with today’s digital era and enable people to protect their personal information and privacy online.

By now, the GDPR’s reach extends beyond the EU’s border since many markets require international companies to comply with its guidelines.

Personal information is seen as any information that can be used to identify someone, whether directly or indirectly: names, email addresses, photos, bank details, IP addresses, cookies, social media posts and so on. Many people are unaware of just how much of their information is collected for marketing purposes.
UK Legal Landscape

Since this information can be used against them, the GDPR demands greater transparency and accountability on the part of organisations collecting and storing it and aims to give people back their power over their own personal information. The European Union Charter regards privacy and data protection as fundamental rights.


The United Kingdom also has the Data Protection Act 2018 to complement the EU’s GDPR. It’s a revision of the Data Protection Act 1998, which was written before the GDPR existed. The Data Protection Act 2018 brings forth some important additions. The regulations are written in conjunction with the GDPR and clarify exemptions that were lacking in the 1988 act. It also includes the right to be forgotten, which means the right to request your personal information be deleted, a right that has become one of the most heavily discussed rulings in the history of the EU justice Court.

The data security rules described in the act have to be followed by any organisation that collects and stores personal information. They must also give a clear explanation of what they plan to do with the information they’re requesting, and the information has to be stored only for as long as it is necessary to fulfil the declared purpose.

Once the data is in their possession, they must take appropriate security measures to prevent unauthorised access. More weight is given to sensitive data such as genetics, ethnic background, medical information, sexual orientation, political affiliation and religious beliefs. Additional safeguards are in place to secure information about a person’s criminal history.

The act gives people the right to know what information their government or any other organisation collects and stores about them. They are entitled to gain access to this information, find out how it’s being used, object to how it’s being used, restrict or stop its use or, as previously mentioned, request that it be erased. They can also update it if it contains errors or reuse it for other services (data portability).

In order for organisations to collect, process and store personal information, they must receive consent in a legal and valid manner. This means that consent must be given voluntarily, and it needs to be informed and unambiguous. Consent is rendered invalid if there is any undue pressure or influence. For example, a company is not allowed to automatically opt a customer to receive communications from them.

For consent to be unambiguous, it needs to be given through a clear statement or affirmative act. Since cookies can be used to identify a device, they also require consent.

In the case of a data breach, organisations must report it to the relevant regulatory body. If the breach poses a significant risk to people’s rights and freedoms, they need to be notified as soon as possible. They also have the right to request compensation for damages which can include the cost of correcting information or replacing credit cards.

Organisations that collect and store personal data must protect it by setting up and maintain robust procedures for breach detection, investigation and internal reporting.