The Small to Medium businesses no-nonsense guide to GDPR

The subject of GDPR has moved from an almost obscure subject into one of the key business change issues facing all businesses.

GDPR: Separating Fact from Fiction for SME’s

What is Personal Data?

Personal data is anything that could be used to identify a real person. It could be anything from a photograph of a real person, an email address, facebook, links to bank details and medical information –  this constitutes as personal data.

What does consent look like?

Firstly there’s no more hiding in long ambiguous terms and conditions. If you’re asking a person for data that could be used to identify that person, then explicit consent must be given to your business. The EU GDPR guidelines state that it must be as easy to withdraw consent as it is to give it.

This could be as simple as an unsubscribe button in an email for generic data. Or should the data be sensitive, like medical information for example, then you must tell the person to whom the data belongs, how you will use and store that information and then GIVE them the opportunity to OPT OUT easily.


I understand what GDPR is, but what does my Business have to do to be Compliant?

GDPR in simple terms is a business providing evidence of the lawful processing of a person’s personal data. Your business will will need to have evidence that the personal data you have stored, managed etc, has a basis in one of the following:


Consent: the person has given clear consent for you to process their personal data for a specific purpose.

Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.

Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).

Vital interests: the processing is necessary to protect someone’s life.

Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.

Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)


Making your SME GDPR Compliant

25th May 2018 is fast approaching so here’s what you need to do:


  1. Get Started – it isn’t as scary as it is presented
  2. Don’t let one person be responsible for managing GDPR for your business. Even if you have an SME and little resource, this is a big legal change so do create a team / some time to ensure you’re confident in your data process and responsibilities as an SME
  3. Understand the implications of how personal data is collected, used, managed, stored and disposed of within your business. You could categorise the data you have into a basis as detailed above;
  • Consent
  • Contract
  • Legal
  • Vital
  • Public
  • Legitimate


  1. Once you have the data initially organised you can then organise that data by
  • Staff
  • Customers
  • Prospects


Use these categories to define the value of personal data to your business.


  1. Document what you do and any decisions you make, particularly of how you will lawfully process personal data now and in the future.
  2. Consider your supply chain and ask what they are doing to protect data that is passed to them or received from them. For example staff data for:
  • Payroll
  • Pensions
  • Insurance
  1. Have your process checked by a legal representative to ensure it’s as thorough as possible and you’re compliant.


We know how confusing it can all be but try not to worry, you’ve got this!


Further support can be found;


Written in collaboration with Augmentum.

Comments are closed