Close Menu
  • News
  • Home
  • In Profile
  • Finance
  • Legal
  • Technology
  • Events
  • Features
  • Wellbeing & Mental Health
  • Marketing
  • HR & Recruitment
  • About
  • Advertise
  • Events Calendar
  • Business Wall
  • Subscribe
  • Contact
  • 0843 289 4634
X (Twitter) LinkedIn YouTube
Trending
  • Back to Work: Keeping your employees happy after their holiday high 
  • Are you flying blind on your most important business decisions?
  • Return fraud: what it is and how online retailers can protect themselves
  • UK Small Businesses Reveal Top 10 Strategies Driving Sustainable Growth
  • OneMetric forms strategic partnership with RevOps expert to drive UK growth
  • FX Brokers Pocketing Nearly £1,000 Per Transaction From SMEs, New Data Shows
  • The Seven Phases of Festive Shopping and How to Target within Each Effectively
  • Traditional banks are letting SMEs down – It’s time for alternative finance to step up
X (Twitter) LinkedIn YouTube
SME Today
  • About
  • Advertise
  • Events Calendar
  • Business Wall
  • Subscribe
  • Contact
  • 0843 289 4634
  • News
  • Home
  • In Profile
  • Finance
  • Legal
  • Technology
  • Events
  • Features
  • Wellbeing
  • Marketing
  • HR & Recruitment
SME Today
  • About
  • Advertise
  • Events Calendar
  • Business Wall
  • Subscribe
  • Contact
  • 0843 289 4634
  • Twitter
  • LinkedIn
  • YouTube
  • RSS
You are at:Home»Legal»SMEs and GDPR – A guide to navigating data protection
cyber security

SMEs and GDPR – A guide to navigating data protection

0
Posted By sme-admin on September 23, 2021 Legal, Marketing

The volume and quality of personal data businesses can collect (and the ease with which it can be stored, accessed and used) has myriad benefits, but also carries risks, especially in today’s regulatory environment. A recent study has shown that 85% of SMEs understand GDPR, but more than half are still not meeting the legal requirements.

Elliot Fry, Managing Associate at law firm Cripps Pemberton GreenishElliot Fry, Managing Associate at law firm Cripps Pemberton Greenish gives SMEToday’s readers some pointers.

Leaving aside the reputational damage a breach can cause, it’s hard to miss the eye-watering fines imposed by the Information Commissioner’s Office (ICO) on companies who have failed to keep personal data secure or misused it. If you are subject to an ICO investigation, you need to be able to show you took the right steps towards compliance, and have the right documentation in place. Now more than ever it is crucial that companies of all sizes take time to get to know their obligations under data protection law.

The law

Following Brexit, the EU’s GDPR is no longer directly applicable to all UK businesses (although if you do business in the EU, it may still be). However, the UK (as part of Brexit) has implemented its own version of the GDPR, which essentially replicates the EU’s GDPR in UK law, so (unless and until the UK creates its own more bespoke law) the GDPR is here to stay.

This legislation applies to all businesses; even if you are a small or medium sized company.

Your people: Getting your employees up to speed with how they can keep personal data secure is the best way of avoiding data breaches or unintended misuses of personal data. The more they know about how important personal data is, and how to keep it secure, the easier protecting that data and using it in the right way will be.

Not everyone in your business needs to know the GDPR back-to-front, but you should make sure you have someone who broadly understands the requirements, and who takes ownership of data protection responsibilities in the organisation (even if you don’t need a formal “Data Protection Officer”). Other personnel may only need to know a few “golden rules” depending on their role.

Contracts: If you use a service provider that accesses, stores or uses personal data on your behalf, they may well be a “processor”. Where you appoint a processor, the GDPR requires you to have a written contract with that processor, which must include details of the processing and some specific obligations on that processor (in particular, the processor must only process personal data on your documented instructions). The GDPR requirements here are quite specific, so if you are using older contracts (pre-2018), it’s very unlikely that those agreements will be compliant.

Larger service providers should already have updated their agreements, but small service providers may not have dealt with this proactively. You should also look at any transfers of data outside of the European Economic Area (in particular to the USA), to confirm if these are compliant.

Notices: The GDPR requires a privacy notice to be supplied to anyone whose personal data you hold (subject to some exceptions).

It’s worth remembering that employees are data subjects too, and you will need a privacy notice to set out how you use their data. We consider businesses need a minimum of two privacy notices (an internal one for personnel, and an external one for everyone else). The GDPR also requires you to bring that notice to the attention of the relevant individuals.

Data Controller Register: The GDPR requires organisations to keep a record of their processing activities (and a general description of your security measures). While this obligation is reduced for organisations with fewer than 250 employees it’s likely that any size organisation will have to keep at least a partial record. Keeping a full record is a matter of best practice and assists your other compliance activities.

Special Category Data Appropriate Policy Document: The Data Protection Act 2018 requires that, if you process special category data (particularly sensitive types of data which includes health information) in certain circumstances (including for instance monitor sick leave or for other employment related reasons) you will need an appropriate policy document setting out how you comply with the GDPR’s principles and your retention and erasure policies regarding that data.

Data Breach Register: GDPR requires organisations to document any data breaches they suffer, the effects of that breach, and the remedial action they have taken.

How can I find out more?

If you would like to find out more, a good place to start is the Cripps Pemberton Greenish Data Protection Hub which sets out a lot of guidance on different areas of your business which may be affected. Cripps have also prepared a Data Protection Toolkit which contains questionnaires, customisable template documents and related guidance that can help you get up to speed with data protection law.

Alternatively, the ICO has prepared a ‘SME web hub’ where you can find advice on data protection implications concerning everything from installing CCTV cameras at your premises, to dealing with subject access requests.

Share. Facebook Twitter Pinterest LinkedIn Tumblr Email

Related Posts

OneMetric forms strategic partnership with RevOps expert to drive UK growth

The Seven Phases of Festive Shopping and How to Target within Each Effectively

Law Firms – Are You Ready for Private Equity?

Comments are closed.

Follow SME Today on Linkedin and share all the topics you find interesting

The Newsletter

Join our mailing list for the best SME stories, handpicked and delivered direct to your inbox every two weeks!

Sign Up
Personal Pension offer
Events Calendar
    • Marketing
    August 29, 2025

    OneMetric forms strategic partnership with RevOps expert to drive UK growth

    August 28, 2025

    The Seven Phases of Festive Shopping and How to Target within Each Effectively

    • Finance
    September 1, 2025

    Are you flying blind on your most important business decisions?

    August 29, 2025

    Return fraud: what it is and how online retailers can protect themselves

    • People
    August 14, 2025

    A Life Worth Saving – A Tribute to Dame Stephanie Shirley CH, 1933–2025

    August 12, 2025

    Finance Director Returns As Judge For National Business Awards

    • Health & Safety
    July 1, 2025

    Temperatures Soaring: Is Your Workplace Becoming Unsafe?

    January 29, 2025

    UK takeaways guilty of shocking hygiene failures:

    • Events
    July 22, 2025

    South West Expo Delivers Outstanding Event at Swindon’s STEAM Museum

    July 4, 2025

    £20k grant for female-founded SME up for grabs

    • Community
    July 11, 2025

    Building community, one cause at a time

    June 23, 2025

    Celebrating One Year In Fairford Supporting The Community

    • Food & Drink
    August 22, 2025

    How to get stocked by major retailers as an SME

    July 18, 2025

    Warning to Small Businesses Over New Food Waste Regulations

    • Books
    August 7, 2025

    Learning to Leave a Legacy in Business

    April 24, 2025

    Values-Driven Professionalism: A Path to Client Loyalty

    About

    SME Today is published by the same team who deliver The Great British Expos’. We have been organising various corporate events for the last 10 years, with a strong track record of producing well managed and attended business events across the UK.

    Join Our Mailing List

    Receive the latest news and updates from SMEToday.
    Read our Latest Newsletter:


    Sign Up
    X (Twitter) YouTube LinkedIn
    Categories
    • Books
    • Community & Charity
    • Education and Training
    • Environment
    • Events
    • Features
    • Finance
    • Food and Drink
    • Health & Safety
    • HR & Recruitment
    • In Profile
    • Legal
    • Marketing
    • News
    • People
    • Property & Development
    • Sponsored Content
    • Technology
    • Transport & Tourism
    • Wellbeing & Mental Health
    • ABOUT SME TODAY: THE GO TO RESOURCE FOR UK BUSINESSES
    • Editorial Submission Guidelines
    • Privacy
    • Contact
    Copyright © 2025 SME Today.
    • ABOUT SME TODAY: THE GO TO RESOURCE FOR UK BUSINESSES
    • Editorial Submission Guidelines
    • Privacy
    • Contact

    Type above and press Enter to search. Press Esc to cancel.