GDPR Guidance for small businesses

April 26th, 2018
GDPR Guidance

On 25th May 2018 the General Data Protection Regulation (GDPR) comes into force and deals with how organisations deal with personal information. As a business owner, it affects the way you run your business, as there are certain pieces of your clients’ personal information that you may currently hold.

The GDPR is similar to the Data Protection Act (DPA) and so as long as you already comply with that, the effect on your business may be minimal. However, there are some changes that you may need to make to how you deal with personal information.


The first thing you need to do is determine what personal information you hold, where you get this information and what you do with the information via an information audit.

The GDPR requires you to document this.  By doing so, it will be easier to comply with the requirements of the GDPR including the accountability principle.

The rights of individuals

The rights of individuals under the GDPR are similar to their rights under the DPA with some differences. The main difference is the right to data portability. This means that you are required to supply any personal information you hold to the person it relates to in a standard, easily readable format, free of charge.

Under the DPA you had 40 days in which to comply with a request from someone for a copy of the personal information that you hold on them. Under the GDPR that has been reduced to 30 days.

Lawful basis

You are only allowed to hold and process personal information if you have a lawful basis to do so. One of the main changes as a result of GDPR is that people have a right to have their personal information deleted in a number of circumstances.

You should document what lawful basis you’re using to justify holding and processing personal information. This will help you comply with the accountability requirements imposed by GDPR.


One of the lawful bases for holding personal data is to obtain consent to collect, hold and use personal information. This must be on an opt-in basis. You cannot assume consent.

If you have already obtained consent under the DPA, you may not need to obtain fresh consent if the method of obtaining consent will satisfy the requirements of the GDPR.  You should make sure that all consent is properly recorded.

Consent is not the only lawful basis for holding and processing personal information, alternatives include to meet a legal obligation, to fulful a contract and for the legitimate interests of your business.  For more details on the alternatives visit the Information Commissioners Office (ICO).

Privacy notices

If you collect personal information, you are required to tell people who you are and what you intend to do with that information.

The GDPR goes further and means that you are also required to tell people:

  • What the lawful basis is for you to collect and process their personal information
  • How long you will hold their personal information
  • Who it will be shared with
  • Their right to be forgotten
  • How people can complain to the Information Commissioner’s Office (ICO) if they have an issue with how you have handled their personal information.

Data breaches

If there is a data breach that is likely to adversely affect any individuals involved, you’re required to notify the ICO and the individuals in question. You should make sure that you have procedures in place to detect any such breaches, including a plan for how these breaches will be handled.


  • If you are already complying with the DPA, it should be relatively easy to adapt to the GDPR
  • Document what personal information you hold and process
  • Understand the rights of the individuals involved
  • Only hold and process personal information if you have a lawful basis for doing so
  • Obtain consent or detail any alternative lawful basis and issue privacy notices when you collect personal information.
  • Make sure you have a documented plan for dealing with data breaches
  • Deal with any data breaches as quickly and efficiently as possible

For full details of the requirements under the GDPR you should visit the Information Commissioners Office website.

For assistance with your business insurance needs contact Morgan Richardson Ltd and speak to a member of our team.