Data Protection for Business Owners: The Bare Minimum You Need to Know
Data Protection for Business Owners: The Bare Minimum You Need to Know
Edwin Gachaga
Over the weekend, I sat down for a cuppa with a close friend and somewhere between the first sip and the last, she leaned in and asked, “What’s the bare minimum I need to do to stay compliant—just in case trouble finds me?”
I chuckled. I’ve lost count of how many times business owners have asked me the same thing. “Another regulator? Again? Just tell me the least I need to do,” they say.
I get it. Running a business is already tough, with tax authorities, employment laws, and industry regulations. Now, data protection is another layer of responsibility. But here’s the thing: compliance isn’t a one-time task—it’s a journey.
Understanding the Basics: Data Privacy vs. Data Protection
Before diving into laws and frameworks, let’s clear up two fundamental concepts that many people mix up:
Data Protection is what businesses do—it’s the strategic and procedural measures put in place to safeguard personal information from unauthorized access, loss, or misuse. And yes, it also keeps the regulator off your back.
Data Privacy is what individuals have—it’s the right of data subjects (your customers, employees, etc.) to control their personal information and how it’s used. Think of it this way: There are two main players in this space—the data subject (the individual whose data is being collected) and the data handler (the business processing that data). The data handler’s responsibility is to protect personal information, while the data subject’s role (along with the regulator) is to ensure their privacy is respected and their data is used only for its intended purpose.
The First Steps to Compliance: Where Do You Start?
At this point in the conversation, most business owners look at me with a mix of curiosity and fear. “So, where do I even begin?”
I always tell them: Think of compliance like building a house—you start with the foundation.
Step 1: Understand the Core Principles
Every Data Protection Act is built on fundamental principles that dictate how businesses should:
✔️ Collect – Be transparent about what data you collect and why.
✔️ Process – Use the data only for its intended purpose.
✔️ Safeguard – Implement security measures to prevent leaks or breaches.
✔️ Retain – Store data only as long as necessary.
✔️ Respond – Provide individuals with access and control over their information.
If you follow these principles, you’re already on the right path.
Step 2: Legal Basis for Data Collection – Not Everything Requires Consent
One of the biggest myths in data protection? That consent is needed for everything.
Let’s say you run a dental clinic. A client books an appointment and provides their phone number. Do you need their consent to store it? No—you’re processing it based on contractual necessity (fulfilling the appointment).
Every data protection law provides multiple legal bases for data collection, including:
✅ Contractual necessity – When data is required to fulfill a service.
✅ Legal obligation – When the law requires you to keep records (e.g., tax filings).
✅ Legitimate interest – When your business has a valid reason, as long as it doesn’t override customer rights.
✅ Consent – When none of the above apply, and explicit permission is needed.
Understanding this prevents unnecessary paperwork while keeping you compliant.
Step 3: Data Subject Rights – Giving Control Back to the Customer
Every data protection law grants individuals rights over their data. As a business, you need to:
✔️ Provide clear avenues for customers to request access, updates, or deletions.
✔️ Have mechanisms to handle these requests efficiently.
✔️ Be aware of legal deadlines—most laws require responses within 30 days.
A business owner once panicked when a customer requested data deletion. “If I delete their records, how will I track past transactions? But if I don’t, am I breaking the law?”
The answer? It depends on the type of data and legal requirements. Some records (like invoices) must be retained for legal reasons, while others (like marketing lists) can be erased. Having a structured approach ensures you don’t get caught off guard.
Policies: The Privacy Policy vs. The Privacy Notice
A question I get all the time:
“What’s the difference between a privacy policy and a privacy notice? Can I just have one?”
No, and here’s why.
A privacy policy is inward-facing. It’s a set of internal rules your employees follow when handling personal data.
A privacy notice is outward-facing. It’s what you present to customers, explaining how their personal data is collected, processed, stored, and shared.
Here’s an easy analogy:
When you walk into a restaurant, you either ask for a menu or it’s handed to you. But you don’t need the recipes to decide what to order, right?
📌 Your privacy policy is the recipe—your internal data handling rules.
📌Your privacy notice is the menu—what you show customers.
Beyond the Basics: What Else Should You Know?
There’s a lot more to data protection than just policies and principles. Depending on your business, you may also need to consider:
🔹 Registration with the Data Protection Authority – Some businesses are legally required to register.
🔹 Third-Party Agreements – If you share data with vendors, contracts should specify data protection responsibilities.
🔹 Cross-Border Transfers – If you transfer data internationally, additional safeguards may apply.
🔹 Data Security Measures – Cybersecurity isn’t optional—invest in strong security practices.
🔹 Handling Breaches – Have a plan in place in case data is compromised.
Final Thoughts: Compliance is More Than Just Avoiding Fines
Many businesses view compliance as a box-ticking exercise—something they do to avoid trouble. But data protection is more than that.
It’s about building trust.
It’s about showing your customers that you respect their information and that your business operates with integrity.
And in a world where privacy concerns are growing, trust isn’t just a nice-to-have—it’s a competitive advantage.
So, where do you start? Right here. Step by step. Compliance isn’t about perfection; it’s about progress.
What’s Next?
I know there’s so much more to cover—data breaches, employee training, vendor agreements… the list goes on. What data protection topic would you like me to dive into next? Drop a comment below or you can email me at egachaga@lawyeringafrica.com. Let’s make compliance easier, one step at a time.
