Skip to main content

20-20a Westminster Buildings, Theatre Square, Nottingham, NG1 6LG(0115) 888 2828

The new General Data Protection Regulations (GDPR): How SMEs will need to react

Written by Ben Leach on

From May 2018, the EU General Data Protection Regulations will officially come into force. Should you be preparing?

For too long, spammers and scammers have had free range of the wealth of data that is out there. From May 2018, the EU General Data Protection Regulations will officially come into force. Surprisingly, it’s not just undesirables who should be preparing for next May, but Small and medium-sized enterprises (SMEs) too.

The legislation

The legislation is aimed at tackling the issue that has fallen by the wayside recently, and that issue is data protection. The new General Data Protection Regulations (GDPR) will replace the current DPA (Data Protection Act) which dates back into the 1990s when gathering huge quantities of data was only accessible by larger organisations.

New General Data Protection Regulations

Now we live in a world where marketing, sales and advertising revolves around data that has been gathered by numerous means. Currently there are more than 200bn emails sent worldwide in a 24 hour period, which is an incomprehensible amount considering the average number of emails people get daily reaches a mere 88.

Taking responsibility for data

With the new General Data Protection Regulations, it means that each business, whether an SME  or not should have an appointed Data Controller in the business who is responsible for all the held data. The company should also be able to prove where they retrieved the data from and that consent was given to hold the data.

Retrieving consent will now not be as easy as the standard ticking of a box but the Data Controller will need to show the real audit trail of consent before the data was added to a list. It should also be possible to completely erase any details of a user on a system should they ask or unsubscribe.


Overall, the changes to the GDPR from DPA are significantly enhanced, but the rights of individuals remain, ultimately, the same. A common misconception among businesses is that, even now, they can send out emails without declaring themselves to be holding information to the Information Commissioner’s Office (ICO).

Any business that holds an email address, phone number or address for marketing purposes needs to register with the ICO and pay the charge of £35 (this price is increased significantly for larger business). This ensures the ICO are aware that your business is holding data and should be doing so responsibly.

Fines and punishment

Currently fines for not fully complying with the Data Protection Act 1998 are up to £500,000. Once the GDPR comes into force, this fine will be considerably increased to either £20million or 4% of a company’s annual income – whichever is more. This is not dependent on the business either, theoretically, a judge could rule a small SME to pay up to £20million.

The largest change to the General Data Protection Regulations, is that of the territorial power of the directive. Beforehand, the DPA stated that it referred to ‘data in context with establishment’. Due to this ambiguity causing numerous court cases to be lost against firms misusing data, the directive has been updated to enforce all businesses that deal with the processing of data in any way. This also means any business who holds data of EU nationals must comply with the GDPR.

Explaining why you collect data

The new regulations will also mean that businesses need to be able to supply a reason as to why a person’s data is being held. And if asked by the person or a relevant governing body, they must be able to provide all data that is held on that singular person. Similarly, if a company holds information of a person who is less than 16 years old, the business must be able to supply parental consent upon request.

To summarise…

In summary, it is important that people’s data is protected to the highest possible standard. There are numerous obstacles that can jeopardise the protection of data and these risks need to be managed by businesses effectively in order to protect data. Businesses will need to take a holistic approach to risk by looking at people, processes and technology and being able to manage these and keep them under control.

The new GDPR is something that needs to be thought of as an essential part of business development rather than a bolt-on or addition to business administration. The protection of data should be at the heart of everything the business does. After all, a data leak cannot be hidden and protection of the brand and protecting databases is vital.

To find out more about the GDPR and the full legislation visit: