Business-friendly and supportive financial environment created by the European Union has paved the way for more new SMEs (Small and Medium-Sized Entrepreneurs). There were more than 5.5 million private sector businesses in the UK only. Bearing a fact in mind that SMEs are accounting for 99.3% of the private sector business in the UK, more support is provided by the government in the form of business startup loans and grants, and government-backed business loans. 15.7 million, that’s the significant number of employment opportunities created by SMEs in the private sector employment of the country. The bottom line is, SMEs create job and hence play very significant role in the economic growth of the UK.

GDPR Checklist

GDPR for SMEs – Cakewalk or Bugbear

SMEs are also holding personal data of more than 15.7 million private workers plus data of suppliers and contractors. General Data Protection Regulation (GDPR) for controlling data collection is very strict and non-compliance incurs tougher fines now. So, with less than a fortnight left, how easy or tough it is going to be for a small or medium sized business to become a GDPR complaint? It’s easy. It has been a cakewalk for small and medium-sized Entrepreneurs. The process of following GDPR is not difficult but slow. It involves analysis of data, completion of balancing tests, mapping of processes and a complete review of security.

The Checklist for SMEs in the UK

Before we compile the checklist, there is an important thing SMEs should give heed to. GDPR regulations are applicable to data associated with anyone who is and has worked with the SME, even past employees, suppliers and contractors. In a nutshell, any personal and sensitive data SMEs hold, store and use gets GDPR protection.

Understanding of Data 

SMEs are expected to have a clear idea of the personal and sensitive data they keep and use. The source of data and where and how it is being used, SMEs have to demonstrate their understanding of the way they handle personal and sensitive data.

Personal data: name, email address, bank details, contact details, address, IP address

Sensitive data: This is a special category that includes religious views and health details.

Reliance on Consent

SMEs have to find out whether the consent is necessary to process personal and sensitive data. The consent has to be clear. This is going to erect barriers in several activities marketers have to perform in order achieve their marketing goals.

Reinforce Security Measures

In case you haven’t implemented strong security measures and policies for data protection then don’t put it on backburner, it is urgent and important. Identify security vulnerabilities, take necessary corrective steps and put essential data protection policies and measures in place in order to be GDPR complaint. Sending and receiving user data in encrypted form, installing SSL certification and other preventive measures can save you from big penalties in case a security breach occurs.

Access Request Deadline

Access rights under GDPR are changed now. Citizens can use their right to access and rectify their incorrect personal data. They can also raise objections against the way SMEs process their personal data. When citizens request, SMEs have to erase their personal data. SMEs will have one month to fulfill access requests from citizens. So, SMEs have to train staff for processing requests within this timeframe.

Train Employees

Train employees so that they can identify red flags and personal data breach. They should be able to report serious security breach within 3 days. The staff of the SMEs should realize that it is their responsibility to report breach or any vulnerability in the security to the Data Protection Officer.

Conduct Due-diligence

SMEs should be careful while sealing deals with suppliers and contractors. All Suppliers and contractors they are working with must be GDPR-complaint. SMEs should also make sure that data breach related obligations should be there in the contract.

Use Fair Processing Notices

It is the responsibility of SMEs to describe how they will use personal data they collect form citizens or provided by citizens.

Employ Data Protection Officer

SMEs processing large volumes of personal data, especially sensitive data must employ a DPO (Data Protection Officer).

GDPR is in the best interest of both the citizen and an SME. It will protect citizen’s personal data from business malpractices. And, the business of SMEs will become more secure and trustworthy. Becoming GDPR compliant is pretty easy. GDPR is coming into force on 25th of this month. So, get it done now!


Photo by rawpixel on Unsplash


Leave a Comment

Your email address will not be published. Required fields are marked *