6 Things an SME should know about GDPR

6 Things an SME should know about GDPR


The General Data Protection Regulation comes into force on 25th May 2018. GDPR reflects the increasing importance of personal data since the previous Data Protection Act came into force back in 1998. 


The Regulation brings in substantial tightening and toughening of the requirements on Enterprises and SMEs to store, share, send and receive personal data of an EU citizen. 

Personal data is defined as "any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.”


If you show that your SME is ahead of the game, you may find yourself in a competitive position over your rivals when it comes to tendering for business.

This is where a large number of Companies and SMEs are going to struggle, Companies and SMEs are obliged to not only comply with but to also prove their compliance with GDPR. Businesses are expected to design, develop and implement business processes for products and services that ensure that data protection is a significant consideration of the business process. You will need to adhere to the principles of Privacy by Design and Privacy by Default (Article 25). Such measures may include data encryption (Recital 78).

How is a Small Business going to go about proving that they are compliant with the act? Especially when they have customer data on several different spreadsheets across several different functional areas of their business.

Why is this important? The maximum fine for failing to comply is €20m. (Granted that it is unlikely for an SME to fall foul of such a fine, but it goes somewhat to prove the seriousness of the Regulation. And remember the UK is still part of the EU when this comes into effect).

Employee well-being

Perhaps develop and foster a culture where employees feel protected in self-reporting when they have made honest blunders.

So here are the 6 things:

  • You will need to explain to your clients and customers via updated privacy notices why you are collecting data, what you will be doing with it, how long you will keep it, who will have access to it, and where it will be stored. You will also need to implement a two-step confirmation process for your customers to confirm that they have understood the above.
  • Unfortunately, even as an SME, you will need to think about the impacts of where and what personal data is stored in your SME or Company, and how it is shared both internally and externally.
  • You'll need to document how you will deal with a data breach or a ransomware attack. (Yes, even an SME will need this). Make sure that you have processes in place to detect a violation, assess where the infringement occurred, stop further offences and communicate the breach to all customers affected within 72 hours.
  • Customers have the right to know what personal data you hold and to request an electronic copy of it at any time. You need to have processes in place to be able to locate and deliver the data securely and in a usable electronic format within 30 days.
  • You will have to prove to your customers that when they request that you delete their data (within specific parameters), that you have done so. You will need processes in place to locate and remove the data.
  • GDPR applies to your external communications as much as it does to your internal processes. Sharing of personal data such as name, address, or age needs to be done securely, encrypting the data. If you send or receive data from customers or other external contacts via email you will need to ensure that it is correctly encrypted.

So where can SMEs get additional help and support

There are extensive resources available to help you make sure that you are compliant by 25th May 2018

  • Search for the Information Commissioner's Office
  • Do a Search on google for GDPR

Drop me a line for any help on how Cloud-based apps can help you mitigate your risks away from falling foul of GDPR.

if you found this article even 'slightly' interesting, we would appreciate a tweet

 Insert your tweetable quote/phrase here

Click to Tweet
Please Share Us

imtiaz ahmed

Imtiaz is an enthusiastic and innovative Professional, with over 20 years of experience in the Retail, ERP and CRM business areas in the UK, South Asia and the Middle East. PS. When he’s away from running UnifiedApps, he’s also been known to be a mediocre guitar player.

Chat with us on Facebook

Explore CloudworksIT and See for yourself