GDPR. It sounds like some long-forgotten empire, or perhaps a new economic statistic. If only it were either of those! GDPR is a headache, but we must be ready for it – by May 25, 2018.

If you’re like a lot of small and medium-sized businesses, you’ll have read some of the ‘How to prepare for GDPR’ articles and thought: ‘Yeah, yeah, but what do I actually DO about it?”

What is GDPR – in a nutshell?

The General Data Protection Regulation (GDPR) is an EU law on protecting data and privacy for EU citizens. It’s like the current Data Protection Act (DPA), but considerably stricter. It basically compels organisations like yours to take account and take care of information you hold on customers, and to communicate to them exactly how you are using that information. Crucially, it stipulates that they must actively opt-in to consent and that they can retrieve their data or have it deleted.

Avoid big fines

Here at Brainbroker we’ve put together a practical list of what you should consider – and more importantly, do – to avoid those fines. After all, nothing could be more embarrassing than going under because you didn’t keep your spreadsheets safe.

Build trust

Aside from the fines, it’s good to get to grips with GDPR so you can show your customers and suppliers that you take personal data security seriously; it can help you build all-important trust.

What to do right now

In terms of what you should actually do, two of the most important changes relate to:

  1. updating your privacy notice
  2. changing the way you gather consent (so it is separate from your T&Cs, and can be easily withdrawn)

Here’s a full run-down:

Be aware and act

Make sure everyone in your business is aware of the change in the law. It’s important to act now.

Work out what data you hold

Take the time to work out what personal data you hold, where it is kept, and who you share it with. Any data you share with other organisations must be accurate – and any mistakes must be relayed to those organisations so they can be corrected. But you need to know what – and where – that data is to make such corrections.

Update your privacy notice

You already have to give your customers information about your identity and how you will use their information under the DPA. Under GDPR there are a few more things you need to tell people – communicated through a privacy notice on your website, emails, letters, forms and/or other communications.

Your privacy notice (or statement) should be clearly laid out in uncomplicated language. Legalistic or confusing terms should be avoided.

See examples of good and bad privacy notices from the ICO (Information Comissioner’s Office).

Rights of individuals

The GDPR upholds the following rights for individuals:

  1. the right to be informed
  2. the right of access
  3. the right to rectification
  4. the right to erasure
  5. the right to restrict processing
  6. the right to data portability
  7. the right to object
  8. the right not to be subject to automated decision-making including profiling

You should work out how you would delete personal data, and how you would provide that data to the associated individual if it were requested. Who makes deletion decisions should also be determined.

If someone requests the data you hold on them, it must be provided free of charge in a commonly-used and machine-readable format.

Handling requests for data

You will need to decide if your current procedures for handling information requests are up to scratch. If a request is particularly unreasonable – e.g. it would take your staff a week to organise (bad news for most SMEs) – you may have grounds to refuse it. However, you must tell the individual why, and make clear they can complain to the supervisory authority (ICO) and that they have legal recourse. Requests must be handled within 30 days – and any refusals must be responded to in the same period.

Smaller businesses are unlikely to receive large and regular requests. But those that do may want to consider how such requests can be automated or streamlined, perhaps by developing systems which allow people to access their data online.

Why – legally – are you allowed to process personal data?

You need to establish why you are allowed – under the GDPR law – to process someone’s data. It is often because consent was given by the person. You need to explain the ‘lawful basis’ for processing data in your privacy notice – but also if/when you receive a subject access request.



This is a biggie. How do you ask for consent on your website? How do you record and manage that consent? Any consents that don’t meet the GDPR standard must be refreshed – i.e., you must ask for consent again!

When someone gives you consent to process their data, it must be given freely, cover specific data and processing, and be clear. People must positively opt-in – consent cannot be assumed by inactivity or silence or pre-ticked boxes (which are specifically banned under GDPR). People must also be able to withdraw consent simply and easily.

  1. Consent requests must be kept separate from other terms and conditions agreements.
  2. List any third parties who will rely on the consent given.
  3. The GDPR consent differs from DPA consent in that affirmative action on consent is necessary for it to be given.

What to include in your business website’s consent form/page:

  1. The name of your organisation and any third parties who will rely on the consent
  2. Why you want the data
  3. What you will do with the data
  4. Make clear that consent can be withdrawn at any time. It’s a good idea to tell them how to do this.

Examples of opt-in consent methods:

  1. signing a consent statement on a paper form
  2. ticking an opt-in box on paper or electronically
  3. clicking an opt-in button
  4. choosing from equally clear yes/no options
  5. replying in agreement to an email requesting consent
  6. answering yes to a clear spoken consent request
  7. Using a “just in time” opt-in feature, like the one below from the ICO:

Consent for collecting children’s data

The GDPR states that if you collect and process children’s data, you may need consent from the child’s parent or guardian. In the UK, children aged 13 and upwards can provide their own consent (subject to UK Parliamentary approval).

Data Breaches

How will you handle a data breach? Certain types of breach must be reported to the ICO. As the ICO says: “You only have to notify the ICO of a breach where it is likely to result in a risk to the rights and freedoms of individuals.” Equally, under these circumstances, you’ll need to inform the person affected too. Any such notification must be sent within 72 hours.

Dealing with contractors and suppliers

Under GDPR, there are “data controllers” and “data processors”. These may both apply to one entity (such as your business), or it may be, for example, that your business is the “data controller” and a third party is the “data processor”. “Data controllers” decide how and when data is used, while “data processors” process the data on behalf of the controller. If you share personal data with a third party, you must ensure that third party is compliant with GDPR data protection standards. This might be done by sending them a form to complete providing assurances that GDPR standards are and will be met fully.

Long live the GDPR?

Like the Holy Roman Empire, the GDPR is going to be around for a very long time. It’s important to put the work in now so you are compliant, and so you can focus on your core business.