Some uncertainty remains with businesses that deal with the EU on the provision relating to data after the end of the transition period on 31 December. The UK government stance is that GDPR is and will remain engrained in UK law during the transition period and into 2021.

The EU is conducting a data adequacy assessment of the UK and, if the EU grants positive adequacy decisions by 1 January 2021, it would mean that personal data can flow freely as it does now, without any action by organisations. With little time left, the EU has yet to decide as to whether they accept that the UK’s data protection regime is still adequate.

At this stage, nothing much is changing, but it is essential – especially for small businesses – that they ensure their data protection procedures, and data transferring, are up to date and compliant. For small businesses that have moved from a physical location to an ecommerce solution, they may not realise that some procedures when sharing customer data are not even compliant with UK data laws.

James Tilbury, managing director at IT support company ILUX, comments: “We have been following all updates from the UK government for our clients and have been waiting to see how the EU will respond with their opinions on our current data standards. This will decide whether this will affect how we share data from 1 January 2021 and whether additional requirements will be put in place. But this is only for those who share data with EU countries. In the UK, things will not be changing and GDPR law remains ingrained in our data procedures.”

As well as sharing customer data, businesses need to make sure that their cyber security is up to date. Cyber threats are not exclusive to larger companies and a data breach can be costly for a small business. “Earlier this year, our research with homeworkers highlighted that 1 in 10 home workers did not feel they were GDPR compliant working from home,” adds Tilbury. “A quarter also said that they felt their systems were inadequate to do their job. Having the adequate cyber defence software and hardware is essential, but more importantly it needs to be regularly updated to ensure it protects against the most recent threats.

“Employee training on best practice and familiarisation on the signs of an attack are also essential activities that should be undertaken on a regular basis. If a small business is unsure, it is always advisable to speak to a professional to understand the requirements of the business, and make sure this is communicated to all staff handling company equipment and information.”