5 Simple Ways Small Businesses Should Prepare For GDPR

Over the last week, the main topic of HR conversation has been about how small businesses need to prepare for GDPR. Some discussions have been very proactive, but there are many that believe they do not need to prepare for GDPR as it does not affect them. This is because either because they are too small a business or because the UK is soon leaving Europe so it doesn’t matter.

If you have been living in your own bubble then you will know that large organisations have had huge security breaches – the top 31 Infamous data breaches include the likes of Tesco, Morrisons, and Uber to name a few. As of May 25th this year, the Data Protection Act of 1998, yes its been that long since it has been updated, will be replaced with the General Data Protection Regulations (GDPR).

I understand on top of everything else a small business owner has to do, having to prepare for GDPR will seem like another weight on your shoulders. Hopefully, this blog shall help you become proactive (rather than reactive) and ensure that you know who has access to your data and what they are doing with it.

Prepare For GDPR By Reviewing The ICO Website

Unlike some changes to law where websites can be a bit vague, the ICO website has an abundance of information on the changes, how to prepare for GDPR and lots of checklists and guides to help you along the way. Some organisations will need to register with the ICO – there is a handy tool to find out if you do or don’t need to register, but if in doubt for £35 it is better to register.

Complete An Audit

The ICO website has a great checklist to help you see where you might be at risk within your business with lots of examples of how to deal with things like Subject Access Requests or how to record what data you hold. If you are like me, small business owner who has a database of people who I have met whilst networking, I will shortly be asking all my contacts to opt into receiving my newsletters and blog updates because, if you can’t prove consent, you could be in breach of the new GDPR regulations.

One thing the regulations make clear is that it should be as easy to opt-in as it is to opt out. If you use something like MailChimp to send out newsletters, it already has this feature built-in for people to opt out and keeps an audit trail for you. If you want to succesfully prepare for GDPR, make sure this feature is turned on!

Now I do understand that some might take one look at the ICO website and think “I’m never going to understand all this!” Well, you are lucky that there are now organisations that are specialising in completing audits for businesses. Fusion Forensics is not only holding seminars to help companies prepare for GDPR but also offering audit services. Other organisations also offer similar services but please make sure you do your research to make sure that they are a legitimate company.


If you don’t have policies in place already, you will need to have policies such as IT Policies to confirm that you are allowed to place monitoring software on machines. You need to ask questions like do your staff have mobile phones that have company data on it such as emails? Do you have the policy to show how you protect that data should the phone be lost or stolen? As you will need the answers!

According to the new Consent in Contracts of Employment, in order for you to hold personal data on any new staff after 25th May 2018, you will need to get consent to hold the data, plus lay out exactly what data you hold on that person and state how long you will hold it for.


You need to look at what data you hold on your staff, suppliers, and contacts and ensure you have a policy on what data you hold, why you hold it and what you do with it. Companies will need to look at their own regulations and ensure that retention policies are put in place. Any current data you have locked away in dusty cupboards or in secure data holding centres will need to be reviewed.

Recruitment and Absence are just a couple of policies that will need to be reviewed.  Ensure you are clear about what data you will hold for example in the case of long-term absence, how long will hold doctors records for and how will you ensure data is destroyed in the correct manner.

What happens if you have a data breach? You need to ensure that you have policies in place to deal with these, much like when someone has an accident in the workplace.


Part of the 6 New Principles in the GDPR is awareness training. All staff must be aware of what they are allowed to do with the data that they have access to. In the next few weeks, Upskill People will be launching their new Data Security Essentials E-Learning Course that will help you prepare for GDPR and explain your employee’s responsibilities. In a similar vein to Health and Safety or Fire Training, this will need to be reviewed every 6 months with documented training records for all staff.

In Summary:

2018 is not the Year of the Ostrich so don’t bury your head in the sand.

Instead, make sure that you:

  • Go to the ICO website and complete the online test to see if you need to register.
  • Complete an Audit (either the one on the ICO website or get a Reputable Company to Complete for you)
  • Have a plan – don’t leave it all until the last minute

If you’re feeling overwhelmed with everything you need to do to prepare for GDPR, I can help! Please get in touch with me at [email protected]


Don’t keep it a secret

Did you find this blog useful? Think you have fellow business owners that would too?  Feel free to share or ‘like’ using social media buttons to the left.

Sign up to my blog

Did you enjoy reading this blog?  if so please sign up so you can receive them directly to your inbox each week … keep your FOMO in check.

Share This