As an SME ourselves, we wanted to get to the GDPR point.

What do we need to do differently on 25 May that we don’t do now?

We couldn’t find a simple summary, so we set about condensing the Information Commissioner’s Office published content on the subject.

Here it is. It comes with the caveat that until the GDPR comes into force, there are no examples of what will happen in practice, so it is our best attempt at unravelling the mysteries of GDPR.

In summary:

The best way we’ve found to think about this is to look at the principle from a personal perspective. How would you like your own personal data to be treated?

The idea of the GDPR is to protect the individual’s privacy and give them control over how their personal information is collected, used and stored.

As a business:

  • You can only collect personal data if you have a legal reason to do so
  • You have to explain to the individual what your business is going to do with the data you collect and only use it for that purpose
  • The individual has the right to ask you what information you hold
    • It must be accurate
    • You must be able to delete it if they ask you to (unless you must keep if for legal reasons)
    • They can ask you for it in digital format
  • The data must be securely stored. If the data is stored outside the EU then the recipient must have the relevant Privacy Shield in place
  • If you have certain types of data security breach you must tell the relevant supervising authority


1. Check which of your products or services collect and process personal data.

2. Ensure you have a legal basis for processing personal data – there are 6 lawful bases for this.

3. Ensure you can comply with the obligations to your customers set out in GDPR:

  • Privacy notice
  • Access
  • Rectification
  • Erasure
  • Restrict processing
  • Data portability
  • Object
  • Automated individual decision making and profiling

4. Make someone in your organisation responsible for data protection and privacy – check whether you need a data protection officer and update policy documents.

5. Document your processing activities.

6. Update your internal and external notices for GDPR compliance, staff manuals, intranet, website etc.

7. Ensure your customer contracts are GDPR compliant.

8. Train your staff on data protection.

9. Review data security provisions and ensure robust data breach detection, investigation and internal reporting procedures are in place.

10. Pay the data protection fee where relevant.

If you need more detailed information, we would refer you to the ICO website.

Please note that the information provided here is general in nature and does not constitute advice on our part. GDPR falls outside the scope of our general advisory work and this information is provided for guidance only.