Guide to the General Data Protection Regulation for small organisations

Personal data protection GDPR

Data protection

If you hold and process personal information about your clients, employees or suppliers, you are legally obliged to protect that information. Under the data Protection Act, you must:

  • only collect information that you need for a specific purpose

  • keep it secure

  • ensure it is relevant and up to date

  • only hold as much as you need, and only for as long as you need it; and

  • allow the subject of the information to see it on request

Are you compliant with the GDPR?

There are several simple steps that all small businesses need to consider to make sure they are compliant by 25 March 2018.

1. Know what data you hold, where it is coming from and where it is going

It is important that you understand and record what ‘personal data’ you hold as a business, how it was captured, how it is held, how you use it, and where it is going.

The EU defines ‘personal data’ as ‘…any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a photo, an email address, bank details, your posts on social networking websites, your medical information, or your computer’s IP address’.

The GDPR definition of ‘personal data’ is much broader and includes IP addresses, device IDs, location data and genetic and biometric data.

2. Are you relying on consent?

GDPR will make a lot harder for you to get consent to process subject’s data (e.g. for marketing purposes). The definition of consent has been tightened so that it must be ‘unambigous’ when given. Consent will also have to be gained retrospectively for existing customers.

Additionally, requests for consent will also have to be presented in a manner that is completely separate, so they can no longer be hidden within other policies or small print on your website.

If you are relying on consent to process ‘personal data’, you will have to be able to prove how you obtained it. Your customers/prospects will have to express their consent in a more unambiguous way, i.e. by ticking a box (no more silence or pre-ticked boxes).

Right of data access GDPR

3. Right of data access

Individuals will have a number of rights when it comes to how you look after their ‘personal data’. Make sure you have appropriate processes and templates in place so that the data subject rights can be met within new timescales – one month.

Individuals will have the right to:

  • access all data held on the individual

  • rectify inaccurate data

  • object to the processing (in certain circumstances, e.g. marketing) of data

  • export the data in a format that can be used in another IT environment

  • completely erase all data on an individual (in certain circumstances).

4. Data breach

Make sure that you and your employees understand what constitutes a data breach (The GDPR defines a ‘personal data breach’ as ‘a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data’. This means that a ‘personal data breach’ is more than just being hacked or losing personal data. This also applies to data held in any form – not just electronic.

We may live in the digital age, but paper-based data that is structured according to specific criteria should be treated with the same level of care). Put in place a process for flagging and escalating breaches internally – this is vital to meet the strict timescales for response laid out by the GDPR.

5. Review terms and conditions and supplier contracts

Conduct due diligence on any suppliers that process ‘personal data’ on your behalf or jointly with you, to make sure that there are protections in place to cater for GDPR.

You have an obligation to update your contracts with your suppliers to include a number of mandatory clauses, if they are processing ‘personal data’ on your behalf. That mandatory clauses can be found in of the GDPR Article 28(3)

Restricted area authorized persons only GDPR for small business

6. A Data Protection Officer (DPO)

If your core activities involve ‘large-scale’ monitoring or processing of sensitive data (which includes revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, and data concerning health or sex life), an independent of management and the team undertaking the process DPO has to be appointed.

More information and support for small organisations, can be found here:


#GDPR #smallbusiness #Guide