GDPR for small & micro businesses

Did you know that GDPR becomes law on May 25th and you need to act.

GDPR is nearly upon us – are you ready?

As with all new and complex pieces of legislation, it is easy to get lost in all of the information (and mis-information) and for small business it can seem all a bit daunting.  But help is at hand.

Here is a quick check list of things you need to know and pointers of what you need to do.

What is GDPR?

It is a new set of rules governing the privacy and security of personal data laid down by the European Commission.  The law aims to give citizens more control over their data and to create a uniformity of rules to enforce across the continent and replaces the outdated Data Protection Directive from 1995.

At it’s core is ensuring the businesses have the correct procedures in place regarding any personal data that they hold.

Does it apply to me?

If you run a business (of any size) and you hold personal data on customers, prospects or employees the answer is a big YES.

The requirements are less stringent for businesses below 250 employees but there are a number of procedures that must be in place by the 25th May.

So what do I need to do?

In simple terms you need to know what data you hold (digital or on paper), how you got it, why you have it and whether you are allowed to use it.

You also need to ensure that it is securely stored and if anyone asks you what personal data you hold on them you are able to respond within 24 hours and delete it requested.

What happens if I don’t comply?

Technically you could be fined up to 4% of annual global turnover or €20m, whichever is the greater.  Whilst it is  highly unlikely that a small business would be fined it could run into difficulties if an individual became unhappy with your data procedures and took you to court.  You would be on very shaky ground if you did not have GDPR procedures in place regardless of the details of the individuals complaint.

So what do I need to do first?

Before any business, regardless of size, can become GDPR compliant they need to know what data they have and where it is.  Without this knowledge all other GDPR procedures will be flawed.

Therefore all businesses need a data map which    comprehensively and explicitly documents the following

  1. What data you have
  2. Why you have it
  3. Where it is
  4. How is it stored (digital or other)
  5. Is it secure
  6. Do you have explicit permission to use it (under the new GDPR definitions).

And secondly?

When you have this document you will then be able to determine whether you need to:

  1. Move and/or collate data from it’s current location to a more central location.  Ideally all data should be in one place.
  2. Contact existing to contacts to renew permission to hold the data on them.
  3. Note:  There are more extensive rules if you hold data on children of 16 or under.

Finally, moving forward, you will need to have clear policies in place on how you will collect any new personal data and you must ensure that all employees fully understand the policy.

I’m not sure where to start!

That’s where we come in.  We have a vast experience of  creating and defining data maps for businesses, no matter how small as well as finding data that businesses didn’t even realise they had!  Therefore we are perfectly placed to produce the data map document that you will require for GDPR.

But before we start we offer a free consultation to answer any questions and assess the amount of personal data that your business has.

So get in touch today on 07966 505490 or email