GDPR – what you need to know before May 25th

The EU’s General Data Protection Regulation (GDPR) will come in to effect on May 25th and in the UK, it will replace the Data Protection Act. It will give people more control over how organisations use their data and will heavily fine those that fail to comply with the rules. The UK Government will be replicating GDPR into UK law prior to Brexit, so if you are a UK company, Brexit will not impact your obligation to comply. But what do small business owners need to know?


Well, many of the concepts and principles are much the same as those in the current Data Protection Act, so if you are complying properly with the current law, then most of your approach will remain valid and can be a starting point to build from. However, there are some new elements you should be compliant with.

GDPR applies to those who control and process data. Importantly, it will require organisations to review their approach of how they manage personal data. This means, organisations will need to receive consent from an individual to obtain and keep their data on record. It also gives people the right to access any personal information which companies store, in addition to giving them the right to ask for their data to be erased or amended.

It’s worth remembering that being GDPR compliant is also a fantastic opportunity for you to re-engage with your most important stakeholders – your customers.

Here’s what you need to know about the upcoming new legislation:

1. Personal data includes names, contacts, medical information, bank account details and more from your customers, employees, suppliers and any other individual you collect personal data from. GDPR cracks down on frivolous data collections, meaning you should only collect and keep exactly what you will use.

2. How you collect personal data. You must make clear what the personal data you collect will be used for and only use it for that purpose. Your customers have the right to ask you to delete all personal data about them, unless you require it for legal reasons.

3. Identify someone in your business to manage GDPR. And provide data protection training for staff. Everyone in your organisation should understand the new legislation.

4. Review how you use and store personal data. Ensure that your customer contracts are GDPR compliant, that you are clear and ethical with the personal data you hold on file. This also includes staff personal data.

5. Be clear. You should ensure that the documents you have for customers to sign when taking on your services are clearly worded. You may need to rewrite them to ensure that your customers know how (and why) you are processing their data. This is best practice anyway, so offers a good opportunity to review.

6. Check your data systems are secure. Ensure the systems that you use to collect, process and store personal data are secure. GDPR governs where companies store personal data and what safeguards you must have in place to store and process it.