How does the General Data Protection Regulation affect small businesses?

I was lucky to be able to attend a seminar this week held by Muckle LLP on behalf of the BCS on the subject of the GDPR (General Data Protection Regulation).

The GDPR replaces the Data Protection Act 1998 and contains some long-needed updates to take account of changes in technology and the way we use the web.  It came into force in May 2016 but won’t be fully enforced until 25 May 2018.

Which data is protected by the GDPR?

The data protected by the GDPR is much the same as that covered by the Data Protection Act – personally identifiable information, or PII, which basically means any data that can be used to identify an individual.  This includes the obvious things like names and addresses, but now also covers such things as tagged photos in Facebook.

What else has changed?

Most of the changes in the GDPR are around policy, processes and responsibilities.  The Act itself is 200 pages long, so here are some of the most important highlights that may affect you:

There is no requirement to register with the Information Commissioners Office as there was with the Data Protection Act.

What this means: every single organisation is now covered by the act, with no exemptions at all, so every organisation, no matter how large or small, must be aware of their responsibilities.


The time allowed for providing all of the data for a subject access request has been reduced from 40 days to 30 days.

What this means: 30 days sounds like a long time, but it really isn’t, so you need to make sure that your procedures for fulfilling subject access requests are clearly documented.


You must be able to justify why you store every piece of personal data.

What this means: Once you no longer have a legal use for a piece of data, you must delete it. You can no longer hold on to it ‘just in case’.


Consent to use personal data must be freely collected.

What this means: You can’t assume consent, so, for example, if you have tick boxes on your website asking for permission to use personal data for marketing, that box must be unticked so that the site visitor has to choose to tick it.


If you store data relating to children (under 16s), you must seek parental or guardian approval to use it.


Data breaches must be reported within 72 hours of you becoming aware of them.


Personal data may only be transferred outside of the EU in compliance with the conditions for transfer set out in Chapter V of the GDPR, and


Transfers may only be made where the Commission has decided that the receiving country ensures an adequate level of protection.

What this means: if you are transferring data outside the EU (or the EU/US privacy shield) you need to check with the ICO that the receiving country has adequate protection in place.

Who will this affect: it could be anyone because if you use cloud storage you may not know where the cloud servers are located. So if, for example, you use a web-based CRM system to store your clients details, and they use servers which are located outside the EU or the US, you are unwittingly transferring data outside the EU/US.


You must appoint a Data Protection Officer within your organisation. The DPO cannot be within the IT department, and the DPO must be at a senior level – either a member of the Board of Directors or reporting directly to the Board.


The maximum fine for a data breach has risen from £500,000 to 20 million Euros.


Once the GDPR is fully enforced in 2018, all public tender contracts will require that you have cyber security certification.  There a few suppliers who will provide certification, but a good starting point is the government-backed Cyber Essentials scheme.

Please note that I am not a solicitor and have had no legal training, so you should seek legal advice to check whether or not the GDPR will have an impact on your business.