GDPR - what it does and doesn't mean for small businesses

From May 25th, 2018 the General Data Protection Regulation (GDPR) will replace the current Data Protection Act (DPA) and seek to unify data regulations within the European Union.

Under GDPR, there will be a requirement for consent to be given for all data collection with comprehensive and transparent privacy notices to ensure people are fully aware of what they are opting in for and business must be able to prove consent was given. This consent is fundamental to GDPR. Any data breeches must be notified to the Supervisory Authority within 3 days. The onus of compliance will be on the individual businesses collecting and storing data and each business must be able to demonstrate they comply with the regulations and it is their responsibility to ensure they do so.

Businesses must :

  • Appoint a Data Protection Officer if they have more than 250 employees;
  • Put in place appropriate staff training and carry out internal audits and reviews;
  • Provide transparent privacy policies;
  • Maintain records of processing activities;
  • Carry out Data Protection Impact Assessments;
  • Have permission to collect and store data from the individual;
  • Only use data in the way they laid out when they collected it and not collect more than is needed;
  • Keep data up to date and store for no longer than is necessary;
  • Protect personal data ensuring it is safe and secure.

Under GDPR, penalties will increase to fines of up to €20million or 4% of the businesses turnover.

For a complete understanding, please visit

It is important to note that GDPR does not mean that a company requires CyberEssentials certification. Most companies with minor changes, should be able to cope with the switch from compliance with the existing Data Protection Act to the new General Data Protection Regulation with little cost, just fine tune their business processes and procedures.

If you would like further an honest, no-nonsense advice on your individual situation and compliance, please don't hesitate to get in touch.