GDPR Checklist for Small Businesses

GDPR checklist

Is getting ready to comply with the GDPR at the top of your to-do list? With the implementation date just around the corner, it is time to consider how your business will be impacted and what you need to do to be ready. We’ve compiled a checklist that small businesses can use to plan their course of action.

Understand Personal Data Within your Business

Before anything else, you must be able to understand types of personal data your business is handling (i.e. name, email, address, bank details, etc) and what can be considered as sensitive data (i.e. health information, religious views, etc). You also should know where the data comes from, where it is stored and how it is used.

Develop a Consent Policy

Do you require consent to process personal data? Under the GDPR, consent needs to be explicit, clear and specific, which can make some activities (such as marketing) more difficult. Understand where you need to acquire consent.

Make your Security Policies GDPR-compliant

Spend some time reviewing and updating your security measures and policies – if you don’t have any, get some in place. Using encryption is generally recommended and can avoid your business hefty fines in the event of a data breach.

Prepare for Access Requests

Under the GDPR, all citizens will have the right to access their personal data, rectify inaccurate data, object to their data being processed or even completely erase any of their personal data you hold. You will need to be able to process such requests within the required timeframe.

Create Fair Processing Notices

Under the GDPR, you will be required to use fair processing notices to clearly describe to individuals what you are doing with their personal data. You should include why you are holding the data, who you may be sending the data to (i.e. employee, customer, supplier, etc) and how long you’ll be holding the data for.

Train Your Employees

Everybody in the business should understand what constitutes a personal data breach and how to pick up the signals. All employees should be made aware of the need to report any mistakes or breach to the person responsible for data protection (i.e. the DPO) within 72 hours.

Conduct Due-Diligence on your Supply Chain

To avoid being impacted by any data breaches (and consequent penalties), make sure that all suppliers and contractors are GDPR-compliant. You’ll also need to make sure that you have the right supplier and contractor contract terms in place.

Do you Need to Employ a Data Protection Officer (DPO)?

Unless your business is processing large volumes of personal data, your small business may not need to employ a full-time DPO. However, it is recommended to appoint someone responsible for data protection within the business. Or use a virtual or outsourced option.

Even if you do not hire a full-time DPO, getting all processes and documents in place to be GDPR-compliant can be a lot to take in for small business owners. We can help you assess areas of risks and get prepared to comply with the GDPR. Don’t hesitate to get in touch if this is something you’d like to discuss!

3 things with regards to Document Management and GDPR

A Document Management (DM) is about creating, storing and controlling documents, which has become increasingly important in light of the upcoming General Data Protection Regulations (GDPR). To comply with GDPR, you need to look at how documents and data are currently managed within your company. Here are 3 key areas of Document Management that reflect best practice in line with GDPR compliance.


In the case of a ransomware attack, how easily could the virus access your company’s data – including staff records or customer bank details? Using a Document Management (DM) means that all files are encrypted on entry and documents are held as images. Your data and documents are then in a much less vulnerable position and minimise risks in case of an attack. Encryption of data is an important aspect of being compliant with GDPR and reflects best practice.

Role Based Access Control

One of the key criteria of the GDPR is to ensure that information and data is locked down, not only protected from the outside world but also within the company itself. Do you really need your Marketing Manager to have access to a customer’s direct debit, or a temp to be able to email or print documents? Staff should only have access to the information they need to do their job. With DM, rules can be put in place so that information access can be restricted.

Retention Control

It is a business’ responsibility to not only ensure that paperwork is stored safely and securely, but also to make sure that it is stored for the appropriate period, in line with the current legislation. For example, financial documents must be stored for up to 7 years, but CV’s should be destroyed as soon a position has been filled – no need to store someone’s personal information at this point. Effective DM can help maintain best practice across the business by storing personal data correctly and flag any documents that have reached the correct time frame for deletion.

Darren Cairney, IT Manager of Document Data Group commented, “When you compare a windows file structure and associated permissions with a document management DM, you can see how a DM is the next step in securing your business-critical data. Windows is by default open until closed with most users unaware that their newly created ‘Shared Docs’ folder could allow all users with read/write access. DM can be set up to allow, ‘no user’ any rights until granted, you can restrict, what is searchable and even what can be seen on the document itself.

According to David Reilly, Data Protection Officer at Create Ts and Cs, “Personal Data and how it is managed has become an even more important business issue because of GDPR.  Treating personal data with respect and in-line with legislation is a decision a company takes in order to manage the business risk.  Deploying the right systems and the correct expertise will go a long way to helping your organisation manage personal data and comply with GDPR”.

Managing Business Risks with Contractor Contracts


The latest statistics from the Office for National Statistics reveal that self-employed people have increased to 15% of the workforce in the UK. Certain sectors such as construction, IT and technology are particularly affected by this trend, as working with contractors, freelancers and subcontractors are commonplace.

Benefits of Hiring Contractors or Subcontractors

Hiring a contractor or subcontractor to do a job can be very cost-effective as the company does not have to provide sick pay, holiday pay, maternity/paternity pay, pensions or other benefits.

Contractors and subcontractors also have a wealth of experience and knowledge that are often specific to a certain market or sector, so it’s often an ideal solution for expanding businesses to strengthen their position.

What are the Risks of Hiring Contractors or Subcontractors?

While contractors not being employees have certain financial advantages, companies must be aware that they also have to balance the risks that hiring freelancers can incur. One issue is that freelancers could be mistaken for employees by HMRC. Not being able to prove the opposite could lead to hefty fines and penalties.

Other main risks for businesses include:

  • Client ownership: Who owns the client: the contractor or subcontractor?
  • Notice periods: Having no notice period in the contract or agreement could help when determining your IR35 status, as employees usually get notice periods but not contractors.
  • Payment terms: Contractor contracts must clearly indicate any terms for payment that must be observed.
  • Responsibilities and liabilities: Contracts should outline what the contractor can and cannot be liable for.
  • Intellectual property ownership: For some sectors, it is key to consider ownership of intellectual property in contractor agreements in order to avoid further issues.


How Can I Manage the Risks of Hiring Contractors or Subcontractors?

By adopting a diligent approach to contractor management and making sure your contractor contracts are thoroughly reviewed, companies can easily manage the risks of hiring a freelancer/contractor, meaning that both parties can benefit from the agreement.

From an HMRC perspective, it’s important to make sure you can differentiate yourself from appearing as an employee by stating the contractor status clearly and have the correct documentation in order to keep HMRC off your back. To do so, it’s essential to cater for the IR35 issue within the contract itself.

Do you have all the correct documentation and contract terms in place? Take the first step towards better protection for your business by getting in touch today.

Jurisdiction – a snapshot

When piecing together a contract, an often neglected but incredibly important area (quite literally) is jurisdiction and it seems wild to want to travel the world to fall out – or challenge the contract in court.

Let’s strip this back, what is jurisdiction? Quite simply, it’s the location in which your contract is legally defined and establishes what country’s law the court will hear a claim brought under the contract in question, i.e. an English court will not see a Scottish contract and vice versa.

So how do you choose jurisdiction? Well, if something were to go wrong, where do you want to sort it out any potential dispute and what law do you want to apply?

If the majority of your business takes place within your own country, it’s a no brainer! So why do so many people skim this clause and want to head elsewhere to go to court? It very quickly becomes expensive if you have to source a lawyer in a different country, never mind travel costs associated with choosing the different jurisdiction. However, in some cases the Jurisdiction is imposed upon the business as part of the negotiation, so this issue is not clear cut.
If a court does not have jurisdiction to hear your case, you will be sent packing and in the unlikely event that a court starts to hear a case outside the jurisdiction, it would have to be stopped and transferred to the correct jurisdiction which then may result in potential delays to a case and more expense all round.
In an English court, an English magistrate or judge will not be able to pass judgement on a Scottish contract and vice versa, this can become even more complicated when you start moving out with the UK and particularly with more complex cases that need to be taken somewhere with a more experienced judge.
Choosing your jurisdiction strategically may benefit you, should a claim arise. For example, a contract bound under Scottish Law dealing with an American client. Should a claim be made under the contract, the U.S party would need to source a Scottish lawyer and incur massive costs travelling to and staying in another country which in turn might be too much effort for a claim (depending on the severity of it).

In a nutshell, where possible the law should be practical, so choose your jurisdiction to minimise cost, travel and keep your energy for what matters to you.

Small businesses, donations and working with charities.

In our experience, a lot of small business owners are very aware of social responsibilities and many have started businesses based upon a principle or an ethos.

It would seem that small businesses are the perfect target for a charity or ethical organisation that requires donations. It appears logical, that a principled small business owner would be very keen to have a transparent and open link with a charity, especially a charity that reflects their values and is compatible with their approach to business. As a small business making smaller more frequent donations works for us as opposed to large one off donations.

So with that in mind; here are two suggestions or challenges, that if overcome, would help us integrate a charity into my business.

The first issue is highlighting the destination of the donation and the positive impact it may have?
There is a certain cynicism with regards to how much of the donation goes to the cause itself, perhaps the charity can tackle that issue by providing a statement or a certificate with every donation, outlining where the money is going and what percentage will impact the grassroots, or make a difference?

The second issue is access to a branded dedicated link (continuously live) to make it easy for our clients and us to make a donation. For example, some of our services like ‘updating a contract’, may require minor tweaks and we may avoid charging our clients for the work, however attaching a value to the work is useful and may be an opportunity to integrate a charitable donation option into our service. Its means we complete minor work for a fixed value which results in a donation instead of a direct payment or not charging any fee.

The charities we’ve spoken with are not structured to provide a simple payment mechanism for us to use. You would think with all the technology out there that making a charitable donation that’s transparent, open and ethically acceptable would be a simple task.

Hope you find our thoughts on this subject of interest.

No Warranty No Clarity

This blog is part 2 of a series of 5 that is preoccupied with small business using contracts to avoid contractual disputes. Court is an expensive pursuit and building self-remedy or clauses into your contract, that are enforceable and offer solutions to problems that may arise is practically useful to small businesses. A considered contract can help you save money, time and effort.

Warranty in simple terms means performance. So outlining how the product or service will perform seems obvious but in many cases, the details provided are scant at best. In many cases, the contract generally fails to outline the key aspects of performance and in turn creates ambiguity. It’s this grey area that can lead to further issues, as during times of dispute, areas of uncertainty become points of discussion or argument.

This gets even more troublesome when there’s a returns policy or a maintenance/service agreement to support post installation or delivery. Stating what is covered by the contract with regards to the basic product’s functionality is one thing but when something breaks or fails to work, what then? Remember these products or service are manufactured and delivered by humans, so things happen, the important thing is outlining what happens next?

Going to the trouble of employing the right contract drafter to ask the right questions and create a contract that is designed to help both parties work together long-term, is worthwhile. Contracts are avoided by those who see no need for outlining the negatives…..but knowing what might happen in the event of….is arguably good customer service and is considerate to both you and your customers time and energy.

The next blog will focus on intellectual property…..

Think ahead – plan to avoid contract problems

Small businesses should try and resolve their own contractual disputes where possible. It’s very expensive to use the courts as a way of resolving disputes. It costs too much time and money.

This means building remedy into the contract. This is certainly one way of resolving disputes as they arise.

The onus is on the contract drafter to project ahead and scenario plan, or capture moments of concern as you work with clients. You can’t avoid every dispute, but you can minimise the number and the impact on your business.

The result will be the inclusion of clauses that are created to protect the business, manage the client’s expectations and in many cases demonstrate to potential clients a way to engage that allows you to deliver services effectively and in line with what’s been agreed.

Over the following weeks, i’ll be publishing a variety of examples starting with the issue of warranty…..


A change in the law leads to new liability for Design and Planners.

Changes to the Construction (Design and Management) regulations 2015, means that those companies (including sole traders), that offer design and planning services to both consumer (householders) and businesses could be liable for health and safety breaches on site even though the builder is the one doing the work.

Not unlike the smoking ban the liability is on those with a lot to lose, the law in that instance targets the smoker through the publican for having a person smoking on the premises, this act pushes the owner to act.  Laws are anthropological, they drive behaviour, whether you agree or disagree with them, it still means the law needs to be adhered to and in the example of the design and planner navigated so their risk is managed and the business protected.

When laws are structured like so, I can’t help but feel more than a little sympathy for the – in this instance – the design and planner who now starts the process of introducing a standard to the chain for events that will lead to a building being built.

We can see why the changes are in place, trying to raise the standard is the goal, the final property will be eligible for warranty and will be re-saleable, a marketable property as opposed to that of a property built based on poor standards which could lead to a disastrous set of circumstances.

This sector is already full of regulation but this new health and Safety legislation will introduce more complexity and challenges for all involved.

So, in a situation where there are multiple contractors, there will be a pressure on design and planning companies to establish the process before a shovel is in the ground.

Create Ts and Cs draft contracts that are relevant to both your business and your industry or sector.  Call us for a quote today 0141 5856384.

If I can understand then I am more likely to adhere

Whilst ignorance is not a defence, ignorance can cause confusions which often leads to problems or disputes. Understandably when you are running a small business, avoiding these types of situations is beneficial.

Ignorance of the law as we know is no defence and can often lead to problems and costly legal battles. In short, ignorance is bad for business – which is why having a well-drafted contract written in an accessible style can be a small business best friend.  That awareness is a key skill to obtain when building a business.

A contract written in a style that is readable and understandable is good for your clients, as well as the business. Legalese speak can often confuse clients or customers, and this confusion can lead to a breakdown in communication, non-payment and disputes.  Especially for small businesses, this can lead to serious problems.

Small businesses need to have clarity and transparency, which can be shown through a well-drafted contract that protects both the business and the customer. By taking the time to have this drafted you are helping to sustain your business, by giving your clients trust in you. An understandable contract will go a long way for a client and often encourage them to use you again. They know the terms of the agreement they are entering into and know what is expected of both parties. If they can understand the contract then it encourages them to adhere.

Whilst ignorance from clients will, for the most part, be genuine, some may use it to their advantage. An ambiguous contract gives clients the excuse to act in a negative way, as they cannot understand it. They can use this misunderstanding to avoid their contractual responsibilities.

Understandably, small businesses can often believe that they don’t need a contract, or they are too busy to have one done. A contract won’t always stop disputes happening, but a well-drafted set of terms and conditions will help to prevent them. It allows the business owner to manage risks better if the clients understand the contract.

Making the legalities of a business accessible to clients is good business practice. Businesses should not be interested in clouding disputes with an ambiguous contract, as it wastes precious time and money.

General confusion caused by a misunderstanding can have devastating effects on a small business, and it’s important to try and avoid these situations. Giving your clients a contract they can be read and understood will help to reduce problems, and encourage loyalty. Just think, would you buy something if you weren’t quite sure what you were getting?

Paying by Direct Debit

Paying through direct debit is something we are pleased to offer to clients. In the legal sector it can be quite unusual, and it is common for work to be completed and the full bill settled within a 14 to 30 day period. But we understand that this method doesn’t always work out, especially for SME’s.

We know our clients and understand what works best for them. We know that every business is different, which is why we like to offer flexibility. Sometimes paying a bill in full is the better option for a client, and of course we are happy to accept this, but 70% of our clients pay their bills on time through our direct debit option.

We know offering direct debit offers benefits to both our clients and ourselves, so we have put together a list of the benefits of paying by direct debit.


  1. Helps small businesses to stay in control of their finances

Direct debit offers flexibility to our clients. Paying by direct debit means that an agreed amount will be taken at an agreed time, so both parties know what is expected. It makes an otherwise larger bill affordable for small business, and allows them to stay in control of their spending. Understandably, we want to get paid for the work we do, and so direct debit allows us to work with clients who may not otherwise have been able to afford it.

  1. Helps to make the law accessible

Many business can’t protect themselves, because they simply can’t afford to pay for it. By offering direct debit we are allowing SME’s access to the law, which will help to protect their business, help them get paid and grow.

  1. Improves cash flow

Rather than one large amount, direct debit gives you the option to pay in smaller, more manageable amounts which are agreed prior to work commencing. This improves the business cash flow and helps business to manage their cash flow.

  1. Secure payment method that promotes paperless environment

Create Ts and Cs are a paperless environment, and we can support this idea because we offer direct debit. Direct debits are secure and a safe way of paying for the work.

  1. Increased client loyalty

Because we offer the option for clients to pay their bill in instalments through direct debit, it encourages loyalty. Many of our clients continue to work with us because we offer this payment method.