<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=5678177&amp;fmt=gif">

GDPR For Small Businesses - Part 1: Data Protection Basics

wood blocks with the letters s, m, and e on them

The (GDPR) General Data Protection Regulation is the data privacy law that regulates the way organizations across the EEA (European Economic Area) process the personal data of individuals generally referred to as ‘data subjects.’ Its aim is to change the way EU citizens’ personal data is collected, processed and stored, transferring the power over personal data from companies to data subjects. 

Oftentimes small and medium-sized enterprises (SMEs) who may be processing the personal data of their staff, customers, and/or business partners might find it difficult to understand what compliance with the GDPR means. Because of this, the European Data Protection Board has published the Data Protection Guide for Small Businesses, to help SMEs navigate the data privacy law and understand their obligations as regards the protection of personal data, which we will discuss in the current as well as subsequent posts. 

The Guide is organized into four main sections:

  1. Data Protection Basics
  2. Data Subject Rights
  3. How to be Compliant with the GDPR
  4. How to Keep Personal Data Secure

In this post we will look at the first point, Data Protection Basics.

The first step to understanding the GDPR is understanding what personal data is and what it includes. According to the law, personal data means any information relating to an identified or identifiable individual. There are types of personal data that can be used to identify a data subject either directly or indirectly. For example, if your organization processes information such as an individual’s booking reference or their individual customer number, this may allow the indirect identification of the individual. 

In addition to the above there are some types of personal data, called sensitive data or special categories of personal data, which have a different protection regimen. Article 9 of the GDPR  lists types of sensitive personal data that reveals details about “racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, [...] genetic data, biometric data, health, or a natural person’s sex life or sexual orientation.” Unless specific circumstances apply, such as explicit consent, the processing of sensitive data is prohibited. 

The same applies to personal data concerning criminal convictions and offenses which, according to Article 10 of the GDPR, can only be processed “only under the control of official authority or when the processing is authorized by Union or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects.


GDPR good practices checklist


  • Ask yourself if the purpose for which personal data may be collected is justified.
  • Only collect personal data that is necessary for the specific purpose(s) envisaged.
  • Inform individuals about how and for what purposes their personal data may be processed.
  • Check if you have an appropriate legal basis for the processing of personal data. In case you intend to rely on the consent of individuals, ask for their consent before processing their personal data.
  • Make sure that individuals’ personal data is handled in a secure way.
  • Keep individuals’ personal data accurate and up to date.
  • Delete individuals’ personal data when no longer necessary. Please bear in mind that national legislation may oblige you to keep certain data (i.e. for tax reasons).

GDPR applies to you if one of the following conditions apply


  • You are a company based in an EEA country (a country in the European Economic Area);
  • You are an organization, based in a non-EEA country, selling goods or offering services, even for free, targeting individuals in an EEA country;
  • You are an IT company based in a non-EEA country that has been subcontracted by a private organization based in the EEA to manage their IT databases, such as a client’s database;
  • You are a service provider based in the EEA and processing personal data on behalf of another company.

The key principles of the GDPR


  • Lawfulness, fairness and transparency 
  • Purpose limitation 
  • Data minimization 
  • Accuracy 
  • Storage limitation
  • Accountability 

You can read our overview of the GDPR by navigating to our website’s Resources section where you will find it listed among the other privacy regulations Clym supports currently. For your convenience, here is a direct link to our EU GDPR Overview