What small businesses need to know about GDPR

The impact of GDPR for small businesses is definitely this year’s hot topic as there seems to still be confusion over what action is required and the impact it will have. The general principle behind the regulation of giving people back ownership and responsibility for their data makes sense, I think we would all welcome the thought of stopping those unwanted PPI or insurance calls.

So what is the new regulation? GDPR will come into force on 25 May this year and will apply to all businesses regardless of size. The consequences of non compliance are huge, with fines of up to 4% of global turnover or €20m; law suites and of course very negative brand reputation. Regardless of the situation over Europe, if the UK wish to work with European businesses they still need to ensure they are compliant to these new regulations. Small businesses also need to ensure that their suppliers are compliant with this new regulation to stop and breaches as part of conducting day to day business.

So where do you start? We wanted to share our 6 steps to help get you ready for GDPR:

1. Reviewing what data you have:

The start point is to work out what data you have and to understand if the regulation impacts you. In most cases there will be some compliance required, the main departments that GDPR will impact are HR, Marketing and of course Accounts if they are linked to 3rd party suppliers. You need to review your business and understand:

  • What data do you have? For example, this could be employee HR records, or client data on how they interact with your business.
  • Where is your data stored? Is it in the cloud or on the hard drive of your laptop and what back up provision do you have in place?
  • Who has access to your data? Depending upon this size and nature of your business this will vary, but ensuring your work is password protected and any unwanted data is deleted will be key.
  • How is your data processed? What happens to it once you obtain in and what insight/ learning can you take from this.
  • How is your data encrypted or protected? Is your work password protected or encrypted? Or do you have it backed up in the cloud.

2. Confirming consent from your clients

A big part of GDPR will be to ensure that your clients have opted into any marketing communications and that you have their consent.  This approach has always been key for conducting good marketing practice but to re-confirm their opt in will be key. You may have started to see many small businesses are starting to include a message along confirming opt in to their clients, bringing this to the forefront of their minds and ensuring that they have the right to continue to speak to people.  Although for now there still seems to be some confusion over opt in or opt out at the time of writing, as long as you are offering a chance for your clients to unsubscribe then this is all which is required.  It is always good to maintain your marketing channels and delete any unwanted files or data, so now is the perfect time to have a spring clean.

3. Right to unsubscribe

This is a key one. You must allow your clients to unsubscribe from your communications should they wish to. Tools such as Mail Chimp automatically offer this to you as part of their service. It is scary however, that there are still some big brands out there who do not, Kuoni was a recent example of this for me. Signing me up to their newsletter without asking, I then had no way of unsubscribing, very surprising practice for such a well established brand.

4. Notification of a breach:

This is more likely to impact larger organisations. This part of the regulation specifies that we need to record any data breach to the appropriate regulation within 72hrs, failure to do so may lead to a huge fine. Any team members need to be trained to understand what action they need take in this eventuality, it will vary by each business.

5. Ensure you have the correct Governance in place:

This is key to ensure that you are able to answer the first set of questions we outline in our first point and to ensure your organisation is compliant with the new regulation.

6. Appoint a Data protection officer

Whilst this would work differently depending upon the size of your organisation, someone needs to be appointed to ensure the business is meeting any required changes to the management of data.

GDPR is a really hot topic, if you are unsure as to what you need to do to get ready for the regulation, then to consult with specialists such as Guardian Technologies is a good place to start.  Please also CLICK HERE to discover the latest update from the official website.

If you need help in reviewing your marketing channels please contact us to arrange your FREE 60-minute consultation.






Sophie Comas

A highly successful self-motivated and results driven, senior marketing professional. My passion lies within developing and delivering marketing solutions which make a difference in today's complex digital market place. A marketeer with a strong academic background and broad ranging level of experience working with small businesses and in the travel and hospitality sector, across the Thames Valley, I love a challenge!


  1. Jody Frost on January 30, 2018 at 9:34 pm

    Great article makes it all clear

    • Sophie Comas on February 7, 2018 at 9:08 pm

      Glad that you found the article useful.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.