Phone icon
Menu icon
Professional insurance
with a personal touch
We're here to help
0345 222 5391
Mon-Fri, 9am-5.30pm, local rate & mobile friendly

GDPR: what does changing from the Data Protection Act to the General Data Protection Regulation mean for my SME?


We’ve already talked about how, on 25 May 2018, the General Data Protection Regulation (GDPR) replaces the Data Protection Act 1998. In case you missed it, this is to make data collection rules consistent across
the EU.

Regardless of what happens with Brexit, it’s important to note that GDPR still applies if a non-EU company processes the personal data of those living in
the EU.

So if, say, you’re an online retailer running a small e-commerce site in the UK, and you hold EU customers’ personal data, you’re still subject to GDPR regulations.

It’s a good idea to know where you stand. Particularly as one of the biggest considerations of the new regulations is making sure ‘sensitive data’ is handled correctly. Of course, knowing what is and isn’t ‘sensitive data’ is the first thing to be clear about.

Do I hold potentially sensitive data?

Never before have we shared so much personal data with businesses, never before have businesses placed so much value on this data, and never have more companies collected and stored sensitive data without knowing it. Let’s look at a few examples.

  • A virtual assistant helps a client with a direct mail campaign and holds data including home addresses, employer and work addresses, age groups etc. This is stored in the cloud and then shared with a distribution company who send the mail. GDPR says explicit consent for both parties to use this information is needed.
  • Past and present personal data in HR records is a potential target for hackers, and it’s your responsibility to make sure it’s absolutely secure. Any third party request to access this information is subject to the employee (or ex-employee) giving consent.
  • Health professionals such as physiotherapists and chiropractors through to homeopaths and reflexologists might ask patients to complete a form about their wellbeing prior to treatment. If this information isn’t stored in line with the new data regulations, it could be in breach of them.

In fact, any company or individual providing marketing, IT, accountancy or other business support may have access to a wealth of client and customer data. GDPR says this now needs to be collected, stored and protected in specific ways in case of a breach.

Breach club

While everyone’s talking about high-profile hacks and attacks (and sadly these are genuine threats), cyber breaches come in all shapes and sizes.

A member of staff accidentally leaving a laptop containing customer data on a train could leave your business vulnerable. Similarly, a disgruntled member of staff could access data that they shouldn’t. Data can also be deleted or lost from something as innocuous as a power outage, causing an IT system to fail.

The point is that most businesses hold some sort of data that could be lost, changed or viewed without authorisation. Businesses ignoring the GDPR do so at their peril.

How can I prepare a data protection strategy?

The GDPR requires that larger businesses or public authorities carrying out large-scale data handling appoint a Data Protection Officer. While smaller business don’t have to do the same, it’s good practice to make sure data handling is a specific person’s job. That person then has responsibility for the following:

  1. Carrying out data protection impact assessments to determine what kind of personal information has been, is being or will be collected, the collection method, how it’s used, transferred and stored, why it might be shared and how it’s protected.
  2. Carrying out regular internal audits of data collection and storage processes, making amendments where necessary.
  3. Making sure all staff are up-to-date with data protection training and that new joiners are aware of and understand processes and procedures.
  4. Taking a view on any new technology, software and marketing initiatives to ensure they comply with GDPR.
  5. Forming a crisis group before you need one. Specific people trained to take the lead if the worst happens can help reduce the impact on your business.

The failure to plan and comply with the new regulations could result in much more than a slap on the wrist: tough new penalties of up to 4% of your annual revenue or €20m are being brought in. And that’s before the potential damage to your business’s reputation and indirect loss of income, too.

Can you afford to not be ready?

Useful links:

The Information Commissioner’s Office ( ICO):

And the official GDPR site:

If you liked this, you might like thesethis...

Does your business insurance have hidden benefits?
Not all surprises are nice. But surprise business insurance benefits hidden within your policy documents aren't to be sniffed at. Here's what to look for:
What's employment practices liability insurance (EPLI)?
Employee disputes can happen despite your best efforts. If you're threatened with legal action, employment practices liability insurance has your back.
What is directors' and officers' (D&O) insurance?
Directors' and officers' insurance is a must if you own or help run a business. That's because you can be held personally liable if things go wrong.

More Advice, News & Know-how

Sign up to being prepared and protected

Get reliable advice on protecting and fine-tuning your business or charity sent straight to your inbox. Plus, receive other occasional bits we think you'll enjoy, like competitions and offers. We promise not to swamp you, and you can unsubscribe easily.

Sign me up