≡ Menu

How to make your small business GDPR compliant

The General Data Protection Regulation (GDPR) is the new regulation introduced by the European Union which will be effective as of May 2018. The idea behind the new regulation is to give the public control of their data, as well as encouraging businesses to be more proactive in protecting and handling data in a more secure way. Although, the date of the regulation going into effect is fast approaching; businesses are not prepared.

small business GDPR compliant

In a survey carried out by the Institute of Directors, it was found that two in five company directors in the UK are still unsure about whether GDPR will affect them and their business. GDPR will affect any business that deals with data, which is majority of businesses.

Anthony Sherick, director of job site Technojobs, explains the importance of compliance with the regulation: “GDPR compliance is essential for businesses of all sizes as the repercussions could be significant. Additionally, it provides the best practice framework for businesses that handle data”.

If you are as unsure about GDPR then start educating yourself on the regulation, as you need to start implementing any changes that will help you avoid being implicated for incompliance. Here is how to be compliant with the regulation to avoid any detrimental fines:


Make sure your employees are aware of GDPR; educating yourself and your team on all things related to the new regulation will benefit your business as a whole. Encourage your team to take time to get to grips with the regulation and understand it as best as they can, and if there is an individual in your organisation that deals with data then they will need to gain extensive knowledge on it. You may also want to offer your staff training, you could do this by outsourcing a professional to come into the business or by sending them on a training course (these can be online courses too).

You will need to make sure that everyone in your business is aware of the importance of being compliant with GDPR. Highlight the risks that come with not following through on it and encourage all staff to be proactive with carrying out tasks in line with GDPR.

Implementing the regulation may mean that you need resources that you and your team have perhaps not considered. You will therefore need to look at your budget and see how you can fund GDPR training for your staff, or you may also need to hire staff to deal specifically with GDPR.

Data audit

You need to carry out a data audit as soon as possible, as the date of GDPR going into effect is looming. Evaluate and assess your current data practices. You will already have certain data privacy policies in place, however now you will need to see how you can change and upgrade them to comply with GDPR.

Also, you will need to look at the following in detail to see what changes need to be made:

  • What data do you have – does the GDPR affect it?
  • Where did the data come from – did the data have a ‘opt-in’ option for consent?
  • Who has the data been shared with?
  • How has the data been used or how will it be used?

By answering these questions, you can start organising the data. Also be aware that if your business has different departments, then the data audit may have to be carried out across several different departments.

You will need to have a record of all your data, and all your data processing activities, in order to comply with the regulation. Therefore GDPR coming into effect will force you to ensure that your data is organised and easily accessible. This is also where GDPR’s accountability principle is prevalent, as you will be held accountable for the data that you have.

Data breach policies

There is a new policy for reporting data breaches in accordance to GDPR. Ideally you should report the loss or breach of data within 24 hours, however you have up to 72 hours to do so. To be prepared for this part of the regulation, you need to set procedures and put a plan of action in place to deal with such matters. A plan of action will highlight how to notice a breach or loss of data, and how to report it. It is vital to ensure that there are trained individuals in the organisation that are prepared to deal with emergencies around data as failing to comply with data breach policies can mean damaging fines for the business.

Your plan of action should also include notifying all the relevant parties involved in the loss or breach of data, such as the individuals that the data has come from. You will need make the individuals aware, if the data loss or breach can have a high risk to their rights and freedom. You should also notify them if the data loss or breach can lead to discrimination, damage to reputation, financial loss or loss of confidentiality.

Be aware that the failure to report data breaches will result in hefty fines, as well as any possible fines you might receive for the initial breach.

Data protection officer

It is a requirement for businesses with over 250 employees to have a data protection officer, to comply with the new regulation. Businesses who are of a bigger scale have to ensure that they hire an individual who will have significant knowledge and training in dealing with GDPR.

Anthony Sherick, commented on the need for individuals skilled in GDPR: “The demand for GDPR skills in the market has unsurprisingly increased over the last year, and will continue to do so.” Businesses need to start seeking out GDPR skilled professionals, in order to fulfil the principle of the regulation.

For smaller businesses that have fewer employees than 250, they still need to be prepared. Although, there is not a requirement for small businesses to have a data protection officer, they should still consider hiring one. Alternatively, if this is not within the budget for smaller businesses, then they should assign a certain member of the team to be fully trained in GDPR. This will allow the individual to make sure that business is fully compliant with GDPR, and they can implement changes and enforce the principles of the regulation.

GDPR a journey

You will need to change around or update your system of storing data so it is in line with the GDPR guidelines. Therefore, enforcing new procedures for storing data is essential. Although, GDPR is seen as a negative, in terms of difficulty for businesses to meet the guidelines, it is actually quite beneficial. GDPR gives businesses precise and clear guidelines on how to store, receive and share data, so it can be seen as an organisational tool which will give individuals control of their data, as well as enabling businesses to track their data appropriately.

Although compliancy with GDPR may be challenging, it will be better for all businesses in the long run. It will be a huge change, however it will mean that the data you have is protected, organised and easily accessible to you whenever you need it. It will also allow businesses to have more control on where the data goes and where it has come from.

This guide should give you a good idea of how you can start being complaint with GDPR, as the date of the regulation being effect is fast approaching. Avoid having to face the hefty fines, and start preparing and getting ready for GDPR.

More on GDPR here.

Top Articles

Do I need an accountant for my limited company?
Find out what a limited company accountant could do for you.

Mortgages for limited company directors and contractors Are you self-employed and looking at getting a mortgage?

How much limited company tax do I have to pay? Find out the latest tax information for limited company owners.

Company Bug Newsletter

Keep up to date with small business news and guides by signing up to the Company Bug newsletter.