On 25 May 2018 the EU’s ambitious General Data Protection Regulation (GDPR) comes into force, with the aim of strengthening data privacy and giving greater protection for all EU citizens.

So what does that mean to you, Small Business Owner?


Sole traders working at home,  multinational corporations, Limited Businesses, Charities & Groups are all obliged to act according to the GDPR, no one (except law enforcement and intelligence agencies) is exempt.

In short you have to


  • Build privacy into your systems by design (and switched on by default);
  • Conduct regular privacy impact assessments;
  • Implement stronger consent mechanisms (particularly when processing data pertaining to minors);
  • Follow stricter procedures for reporting data breaches;
  • Document any use of personal data in far more detail than ever before:

Judging from conversations we have had and from glancing at on-line forums, we suspect a huge proportion of UK businesses are not ready to comply.

The onus for informing the UK about the upcoming change has fallen upon the ICO (Information Commissioner’s Office )– who will also be responsible for enforcing GDPR in the UK.  However it is well known that the ICO simply doesn’t have the resources to mount an awareness campaign of the size and scope needed. The ICO are already struggling with their existing remit. Yes there may be a lot of good material on its website but there is a distinct lack of education for small businesses from them or the government.

A summary of the Information Commissioner’s Office’s 12-point GDPR checklist

A summary of the Information Commissioner’s Office’s 12-point GDPR checklist

  1. Ensure senior/key people are aware of GDPR and appreciate its impact.
  2. Document any personal data you hold, where it came from and who you share it with. Conduct an information audit if needed.
  3. Review your privacy notices and plan for necessary changes before GDPR comes into force.
  4. Check your procedures cover all individuals’ rights under the legislation – for example, how you would delete personal data or provide data electronically in a commonly used format.
  5. Plan how you will handle subject access requests within the new timescales and provide any additional information.
  6. Identify and document your legal basis for the various types of personal data processing you do.
  7. Review how you seek, obtain and record consent. Do you need to make any changes?
  8. Put systems in place to verify individuals’ ages and, if users are children (likely to be defined in the UK as those under 13), gather parental consent for data processing activity.
  9. Make sure you have the right procedures in place to detect, report and investigate a personal data breach.
  10. Adopt a “privacy by design” and “data minimisation” approach, as part of which you’ll need to understand how and when to implement Privacy Impact Assessments.
  11. Designate a Data Protection Officer or someone responsible for data protection compliance; assess where this role will sit within in your organisation’s structure/governance arrangements.
  12. If you operate internationally, determine which data protection supervisory authority you come under.

For more detail on each of these 12 steps, refer to the ICO guidelines here

So – Do you have the man-power to cover all these bases?

Many like you simply don’t understand why this regulation is needed, let along how to implement it.

For the smaller business & sole traders, General Data Protection Regulation as another compliance burden which many hope will dissappear when Britain finally exits the EU.

What do you think?