A five-step guide to GDPR for SME’s

GDPR is unavoidable; yet it is a daunting term for SME’s who are keen to adhere to policy but are struggling with the uncertainty and technicalities that often accompany the discussion. The complexity of the regulation is leading to widespread boardroom concerns for SME’s.

Despite the confusion surrounding it, GDPR is intended to benefit everyone. It grants us all stronger protections and rights in respect of our personal data. The impact of the GDPR will be, on the whole, very positive for all of us as individual citizens.

Below are five simple suggestions that SME’s can follow to demonstrate compliance with the GDPR.

Step One – Audit

This is the process of carrying out a comprehensive mapping of personal data used in a business. This is key to your whole GDPR compliance programme and the first thing to do. This includes the important consideration of what personal data you hold and how is that held. For example, do you hold personal data as a data controller or processor? You should determine whether you have a justifiable and legitimate reason for possessing the personal data that you hold.

Once this has been deliberated, you need to ask yourself how the data you hold in your systems is protected. You should have proportionate and robust security measures in place to protect personal data from unauthorised use.

Step Two – Analysis

The data mapping audit will be a significant exercise, which is likely to take considerable time to carry out, if done properly. The results of your data mapping audit will  highlight areas of weakness and non-compliance in your current data protection regime.

Your internal GDPR compliance team should then be tasked with developing a project plan for addressing each of the risks identified by the data mapping audit, starting with the high-risk issues. It is advisable that your GDPR compliance team is made up of individuals from across your business so each individual can consider what personal data their respective departments process and the practical challenges faced by those departments in complying with GDPR.

Step Three – Cleanse

One of the key actions which should be carried out as part of the GDPR compliance program, is to cleanse the personal data you hold on your systems. Do you still need the personal data you are holding? For example, if the personal data relates to employees who have left your business, then can their personal data be deleted from your systems? Also consider what personal data you’re asking your customers to provide; is all of this information relevant and needed? If not, it’s best for you to delete it.

Step Four – Protect

Protection is quite possibly the most important stage on this guide. One of the fundamental key principles behind the GDPR is that personal data needs to be kept secure, particularly in the digital age in which we operate, where attacks on data are happening continuously. The GDPR requires any entity which processes personal data to have in place robust and adequate security systems for protecting personal data, which are proportionate to the cost of such security and the nature of the data being processed. It is important that you can demonstrate that you have reviewed your security systems and processes and made a reasonable assessment of whether those systems and processes are adequate. This is a continuous obligation so will need to be reviewed regularly.

If you are exempt from appointing a data protection officer, you should still have a person or persons in your business who takes ownership of GDPR compliance. This person will need to receive appropriate training.

My best advice at this stage would be to train your staff on the importance and impact of GDPR and their obligation to keep personal data confidential. Ensure any such training is aligned to reflect your updated practices and procedures in respect of data security. I also suggest you check your employees’ contracts to ensure they contain appropriate confidentiality obligations.

Step Five: Continuous compliance

To be ultimately successful with compliance, the principles of GDPR should become embedded in your business and represent the normal ways of operating. They should result in a cultural change, for the better, in how your business manages personal data. You should be reviewing your data security procedures and the previous four steps regularly. Maintain comprehensive evidence of your GDPR compliance, so you can easily and effectively respond to any data security questionnaires, GDPR compliance questionnaires and/or audits and any data security breaches.

Following implementation of the GDPR and, thereafter Brexit, the ICO will be issuing further guidance and taking enforcement steps against serious GDPR offenders. All such matters should be monitored and refinements made to your GDPR programme, as and when clarifications on certain GDPR matters become available.  One to watch, in particular, will be the forthcoming changes to the privacy and electronic communications regulations.  These will be updated in the next year and will again present a challenge for all businesses who wish to market electronically.

What we need when approaching GDPR is a willingness to embrace regulatory change and confront it, with flexibility, through collaboration – there is no room for spectators.


By Rebecca Kelly, IT and data specialist, gunnercooke

GDPR Sprint is a dedicated conference to help SME’s with GDPR compliance. To find out more about the conference, visit the website.

European Data Protection Summit will take place on June 3rd in Central London and will play host to 800 DPO’s, Security Professionals and senior business decision makers looking for; information, updates, clarity, advice and solutions. For more information, visit the website.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.