GDPR: What should SMEs do about it?

If you are a SME, you are not necessarily exempt from the General Data Protection Regulation (GDPR).

If you are still unclear about what it is, the GDPR is new EU legislation, which replaces the Data Protection Act (DPA) 1998. The GDPR has many similarities to the DPA, but technology has changed significantly since 1998 and the GDPR reflects this to protect everyone’s privacy and personal data in today’s digital world. Brexit will have no effect on whether the United Kingdom continues to enforce the GDPR and there is no requirement for separate domestic UK legislation. The GDPR came into force on 25th May 2018.

If you are already complying with the current Data Protection Act, then most of your approach will remain valid under the GDPR . However, there are a number of significant differences to the DPA, so prompt action is advised. The key differences are: -

  • Fines for non-compliance are significantly higher (up to 4% of annual turnover).

  • Under the GDPR, the definition of personal data widens. If an individual is ‘identifiable’ from data held, then the GDPR applies.

  • The rules for obtaining valid consent for using personal information are much tighter.

  • The GDPR introduces mandatory Privacy Impact Assessments and a common data breach notification requirement.

  • Data subjects have enhanced rights over their data.

  • Liability for the data expands beyond data controllers to include all organisations that touch personal data.

So what should SMEs do about it?

There are two steps, which SMEs should undertake without delay.

1. Understanding and awareness

Gain an understanding of the GDPR so that you can determine whether you are a Data Controller, Data Processor or both. This is your starting point to assess what you need to do next. There are some great resources to help, such as the pages aimed at small businesses on the Information Commissioner's Office (ICO) website at:

Once you have understood this, then look to build awareness across your business as you may need help from other departments to help you to establish what level of risk your business is facing.

2. Information audit

You need to consider conducting an information audit to establish what personal data you have, how it is processed, how it is collected and used, what the lawful basis is for processing data, and so on.

These first two steps are taken from the ICO's document on the 12 steps to take now at:

If you need help with your GDPR awareness training or support with your information audit, drop an email to, call us on +44 20 3290 9969 or book a FREE call at