Obligatory GDPR Blog…

With the GDPR deadline just a couple of days away, we felt it was almost obligatory to write about it for this month’s blog!

We are – by no means – GDPR experts…but we’ve done our fair share of research and felt we could reduce the burden on other small businesses by imparting what we’ve learnt.

So, here is a summary of some of the more useful/fathomable information that we’ve come across:


What is the GDPR?

To cover the basics…the General Data Protection Regulation is a new, European-wide law that replaces the Data Protection Act 1998 in the UK. It places greater obligations on how organisations handle personal data and it comes into effect on 25 May 2018.


What information does the GDPR apply to?

The GDPR applies to ‘personal data’ – which means any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier (such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person).


Are small businesses exempt?

No – the regulation applies to all businesses that process personal data – regardless of size.


What is my role as a business?

The GDPR applies to ‘controllers’ and ‘processors’. You will be one, or both, of these (depending on the nature of your business activities).

A controller determines the purposes and means of processing personal data.

A processor is responsible for processing personal data on behalf of a controller.


What do I need to do?

  1. Ensure that key people in your business are aware – and understand the implications – of GDPR.
  2. Document the personal data that you hold.
  3. Communicate privacy information (in the form of a Privacy Notice).
  4. Update/implement procedures to cover things such as:
  • How you delete personal data
  • How you handle data requests
  • How you detect, report and investigate data breaches
  1. Review and refresh consent to use personal data (for example, if you have a mailing list, you should ask contacts to re-subscribe to the list).
  2. Consider whether you need systems in place to verify a person’s age – and whether parent/guardian consent is required for any data processing.
  3. Designate someone within your business to be a Data Protection Officer (someone to manage data protection compliance) and consider whether you need to register with the Information Commissioners Office (ICO).


The most comprehensive place for further information on GDPR is the ICO website. At the bottom of the page we’ve put together a list of links to – what we found to be – particularly useful sections of the ICO website.

If you have any questions relating to the GDPR, you are welcome to get in touch with us. We won’t necessarily know the answer…but we will do our very best to help!

Till next time…


ICO Links:

GDPR FAQs for small businesses

Key definitions

Preparing for the GDPR – 12 steps

Privacy Notices

Individual rights