Need help? Call us on

0800 970 0077

Monday to friday from 9am to 5:30pm

A Quick Guide to GDPR for Small Business

A Quick Guide to GDPR for Small Business

If you’ve been burying your head in the sand or are simply unfamiliar with GDPR, now is the time to familiarise yourself. With possible fines of up to €20m or 4% of annual turnover, whichever is greater, the ramifications of not being GDPR compliant are serious.

However, a recent survey* revealed that only 45 percent of SMEs are aware of GDPR, despite the fact that every business handling personal data will be affected, regardless of size.

What is GDPR?

GDPR or General Data Protection Regulation applies to all EU member states, including the UK (regardless of Brexit). The aim of GDPR is to update data protection legislation for the digital age we live in. It will bring uniformity to compliance across the EU and give individuals greater control over what organisations do with their data. This is particularly important in a world where an increasing number of companies have been swapping access to personal data gathered online.

Who does GDPR apply to?

There is a general misconception that companies with fewer than 250 employees are exempt from the regulations. Although GDPR applies automatically to all organisations with over 250 employees, it also applies to smaller businesses where personal information is processed on a regular basis.

GDPR applies to all Controllers and Processors of data within an organisation. Controllers are those who state how and why personal data is to be processed and Processors are those that do the actual processing. If your business processes or stores personal information, whether for customers or employees, you will be affected. More information can be found on the ICO website.

How will GDPR affect my business?

Under GDPR, personal data has to be processed lawfully, transparently and for a specific purpose. The new regulations are likely to impact how your business handles personal information.

The FSB highlight the following areas of GDPR for SMES:

Right to be forgotten

Under GDPR, individuals have “the right to see, have amended or delete all personal data held. This includes backups and archives, and the whole process from request to completion has to be audited/proved, and completed within 30 days.”

Data breaches

Data has to be protected against ‘insider threats’ from employees, which is where the vast majority of data breaches occur. This includes policies to protect against both accidental and malicious breaches. Steps are also required to prevent attacks such as phishing or contamination through ‘bring your own device’.

Legal contracts

Contracts with partners or other third parties who process or control any personal data should be updated, even if the Data Processor and Data Controller are jointly liable for GDPR compliance.

Data Protection Officer

Organisations with over 250 employees (and some with fewer) may find designating a DPO helpful.

The role of the DPO is to:

  • Inform and advise the organisation and employees about their obligations under GDPR
  • Monitor data compliance
  • Manage internal data protection activities
  • Train staff
  • Conduct internal audits
  • Be the point of contact for supervisory authorities and individuals whose data is being processed

What do I need to do next?

The Information Commissioner’s Office (ICO) have a number of resources to help small businesses prepare for GDPR, including self-assessment toolkits and a dedicated helpline. This is a good place to start. Full details can be found on their website.

Our 8 steps to GDPR compliance

  1. Get to grips with the regulation
  2. Audit where you are now
  3. Create a data log – on what information you hold and what needs to be protected
  4. Evaluate where and how you collect data and document processes
  5. Assess your risks & make revisions
  6. Plan for gaining consent
  7. Continually evaluate
  8. Create a GDPR handbook – to include processes, how to deal with breaches