D-Day For GDPR

There’s just under two weeks to go until D Day for the implementation of the General Data Protection Regulation (GDPR) we’ve seen an influx of Privacy Notice communications to our inboxes and permissions mailings landing on our desks from some big names across the Finance, Retail, Charity and Automotive sectors amongst others, but what does the business landscape look like in terms of SME’s and where they are in the race for compliance?

In March 2018 the FT reported that ‘fewer than one in ten small businesses in Britain are fully prepared for new EU wide rules on personal data’ and ‘just under one in five are unaware of the existence of the forthcoming GDPR, while a further third are only vaguely aware of its requirements.’

So, if yours is one of the two thirds of UK small businesses that have not yet begun to prepare is it too late to start?

The quick answer is no, it’s not too late and your business isn’t necessarily breaking any regulations, you just don’t know where you are because you’ve not addressed it.  It’s a bit like skydiving. Scary but you’re already up in the air so jump, and when you do, it won’t be a bad as you expect.

The End Goal For GDPR 

The end goal is to make data protection the heart of your business and as a result strengthen your relationships with your customers by becoming transparent and trusted, so where can you start at this late stage?


  • DRIVE Tell your staff about GDPR, what you expect them to do and the benefits it will bring to your customer loyalty.
  • AUDIT your data. If you don’t know what you have, where it’s held and where it is sent, you won’t know if there has been a breach!
  • REVIEW and update your privacy information and make any changes necessary.
  • CHECK your procedures and make sure they cover INDIVIDUALS RIGHTS.
  • PLAN how you will handle system access requests.
  • IDENTIFY your legal basis for processing the data you hold.
  • REFRESH existing consents and review how you currently seek, record and manage consent.
  • DETERMINE if you need to put systems in place to verify individuals ages and if necessary how you obtain parental consent for processing activity.
  • ENSURE you have a robust data breach procedure in place.
  • FAMILIARISE yourself with the ICO’s codes of practice on Privacy Impact Assessments.
  • DECIDE if your business needs a Data Protection Officer.
  • ESTABLISH your lead data protection supervisory authority if your business operates in more than one EU member state.

Data Protection – At The Heart Of The Business

Building data protection in to the heart of your business isn’t achieved with a single implementation. It’s an ongoing process that grafts its self on to the culture of your business and should becomes second nature. Launching new processes, training staff and reviewing what works for you and your customers as your business grows is an evolution. Readying yourself for GDPR is just the starting point. We strongly recommend visiting the DMA’s website for last minute checklists and tips.