Onrec logo The Online Recruitment Resource

How to become a GDPR Genius

Written by Conor McArdle, Content Executive at Brighter Business

With less than three months to go until the introduction of the new General Data Protection Regulations (GDPR), now is the time for small businesses to begin implementing new and improved data handling policies. According to recent research, two out of five businesses have not started to plan for next year’s new data compliance legislation. So now is the time for action.

Coming into force on 25th May 2018, the GDPR will offer an update to the Data Protection Act which was introduced into law in 1995.

The aim of the new regulations is to make businesses across Europe more aware of the importance of correctly storing and handling data, as well as encouraging the responsible use of that data. It also clarifies that business are “in custody” of data - they are not owners of it.

There will be significantly heavier fines for mishandling data or for data breaches – up to €20,000,000, or 4% of global turnover (whichever is higher) – putting the responsibility on businesses to ensure their systems and processes are sufficient. In addition, breaches must be reported to the Information Commissioner’s Office within 72 hours.

Fines on that scale will obviously act to deter multinational corporations from mishandling data, but they arguably pose a much larger risk to SMEs. Despite this, a recent report found that 40% of small businesses are not yet prepared for the upcoming changes.

Ultimately, businesses must do all that they can do make sure that they are prepared for the upcoming changes and are able to comply with the new regulations. Otherwise, they risk financial and reputational damage.

To help small business owners to get ready, the experts from Brighter Business have pulled together these top tips…


First things first. Perform a thorough data audit to assess your current situation. Current procedures should be compared against the GDPR framework and if necessary, hire an expert to give you the official line on what you should, or perhaps more importantly, shouldn’t, be doing.


Make sure that you have express permission from the relevant individuals to store and use their data. This means that customers will have to actively opt in to you using their data, rather than your business operating under the assumption that implied consent is sufficient.

With the emphasis on custody of data rather than on ownership, small businesses will have to be more careful about how they use and disclose data, as well as making it clear what customers are agreeing to. By including explanations and opt-in boxes on data collection forms, you should be covered.

Businesses must be more transparent about what data is used for, why, and how long it is stored for. If customers opt out – assuming there is nothing needed for transactional purposes - then all data will have to be deleted permanently.


One of the best ways to ensure that data is stored securely is to keep it all in one location - ideally a secure server.

Duplicated data is messy, and it can cause big issues for businesses. Limit the risk of dispersed data and ensure that any documents containing personal information are not stored on desktops where they are easily accessible. Basic IT security – locking computers while away from them, password protected files, strong anti-virus protections and so on – is advisable.

Make sure, too, that you stop sharing data through inappropriate channels. If you’re communicating customer data through WhatsApp, Facebook or other platforms, it’s easy to lose track of it, and it could be found by or accidently shared with others.

Having data in one central location means, in theory, that it will be easier to handle responsibly. This is also something to bear in mind for your use of technology – if your employees are using personal smartphones for work purposes, they could be inadvertently breaching data guidelines. Get a policy in place so they understand how they should be using data and understand the consequences.


On the subject of social channels, you may need to reconsider the role that social channels play in your business.

If you field customer enquiries and offer customer service through social media, you need to think carefully about how to ensure the secure transmission of information.

Think also about how long that data remains there for, and who has access to the account, as well as being aware of phishing techniques. Never disclose data if the person asking for it is unable to confirm.  Remember to delete any threads once completed.  

It’s worth drafting up some guidelines on how you and your staff should approach these issues and getting used to them before the roll-out of the new GDPR.

With three months still to go, it’s not too late to turn around your business data governance practices.

With a no-excuses approach, you can make sure your business is ship-shape and protected, while ensuring your customers are protected, too.

For more tips, guidance and information for SMEs and start-ups, visit www.brighterbusiness.co.uk