GDPR: What is it, what will it cover, and how should your SME prepare?


With groundbreaking digital advances, comes an increasing concern over privacy. Information on consumers can be collected, with databases recording anything from a profile picture, to Google searches and buying history. This tends to make people suspicious, but there are benefits to companies having an insight into our online presence, namely a personalised service.

Having our data collected means we mostly receive adverts for things we’re interested in, and offers for products that are useful. It’s the customisation of a market, fine-tuned to reflect our individual needs and lifestyles.

It has only been made possible by the significant advances made by technology in recent years. Impressive, but it raises legislative impracticalities.

The current law that protects and regulates use of our personal information was established in 1998, just shy of two decades ago. Technology has come a long way since then, and actions are possible now that the UK Data Protection Act (DPA) could not anticipate.

For this reason, on the 25th May 2018, a new law will take effect. The General Data Protection Regulation (GDPR) is gradually being implemented, being introduced in 2016 and coming into full force after a 2-year transitional period. It will be applied across 28 EU countries, with the UK Government announcing that our leaving the European Union will not affect agreements surrounding the regulations.

What will it cover?

The updated legislation will reflect the evolving digital economy, with emphasis placed on:

  • Hybrid Cloud Computing
  • Social Networks
  • Data Portability (the electronic moving of data)
  • One-Stop-Shop
  • Data Protection Officers

What does it mean for businesses?

This would mean that a lot of positions will have to be renegotiated to comply with the new rules.

It’s important to be prepared for the changes, not only to comply with the law and avoid penalties, but to assure your clients that you’re a pro-active, responsible, and organised company.

How to prepare

  1. Be aware of the changes. Make sure you understand what changes are going to be made from the current system. Every member of the organisation should be aware of the changes for a smooth transition.
  2. Be aware of current information held. Organise an information audit, so that you are clear on your status and what information you’re currently protecting.
  3. Review what you currently do regarding information protection, and assess how those processes can be adapted to comply with the new rules.
  4. Be aware of changing individual rights, and how you will adhere to them. Your business will need to have an agreed upon protocol when individuals require access to their data, for example. How will you locate every piece of information your database records. Also how will you communicate that information to them in a way that continues to uphold privacy laws?
  5. Prepare for the rules that are newly introduced. That is, people or aspects to the regulations that haven’t previously existed. For example, previously unmentioned in the DPA, the GDPR additionally covers protection for children. You will have to manage the issue of consent, potentially requiring consent from the parent or guardian of the child.

There is a lot to learn about the approaching GDPR, which your company must be compliant with by this coming May, else risk facing penalties. If your SME has the resources to do so, it may even be worth forming an entire team to research the forthcoming changes and design a response strategy. Whilst assuring customers and clients that you’re taking their data protection seriously.

News from EBM.