Skip to content

How GDPR affects you as an SME business

It is not only large, global businesses that are affected by GDPR, SMEs need to take note too!


In May 2018, the European Union's General Data Protection Regulation (GDPR) came into force, meaning that there are a lot of new compliances around consent and personal data that companies need to consider. Under GDPR compliance, each person has to give their explicit instruction of whether they give consent for their personal data to be used. As the internet has grown, there is now more data than we know what to do with, therefore new data protection regulations are needed to control this data.

Does it affect SMEs?

YES! GDPR applies to anyone who deals with EU personal data. It isn't just the large companies that ar affected by GDPR, SMEs are also impacted and there are multiple things you can start doing now.

A good starting point is the process of Data Mapping. You can start by outlining what data you have, why you have it, where it is stored and who has access to it? Also, you need to distinguish if you have explicit consent to be storing this data?

Accountability and transparency are the two most important things to consider when thinking about GDPR and personal data. As an SME you are accountable for the data that you store, and must be transparent about what data you have, and why and how you have it. Something that SMEs should consider is Cloud Vendors. If you store your data in the cloud, you will want to draw up a data processing agreement and a security policy to ensure that the data remains secure.

What about your own employee data?

Employee data should already be treated in a sensitive and secure manner, but this data is also included under GDPR. Employee data comes in many forms and can be stored in multiple ways, such as electronic data, printed contracts, background checks, health insurance policies, bank details, paper documents etc.

It is important to have a data retention policy in place to detail how and where personal data is being stored. As the amount and type of data that you store changes, it is crucial to assess this policy each year and make the necessary amendments. Don't forget, accountability and transparency is key!

What about the data you have already gathered?

If you went to an event three years ago and gathered some data but don’t have evidence of explicit consent given, you will have to regain explicit consent if you want to store and use this data under the new GDPR ruling. There are a couple of ways you can reconnect with these people and gain their consent for the data to be used, examples include;

  • Reach out with a newsletter containing company updates.
  • Offer something to the people you are trying to reconnect with, a discount on a product/service.

At the end of the communication you can include a tick box for the individual to choose to give their explicit consent for the data to be gathered. You can be creative when reconnecting and gaining consent for old data gathered, plus it’s a great way to know that your business is marketing to the correct people. Your KPI’s will be more accurate and you will know that the people receiving your communications want to know about your company and will appreciate your transparency.

What you can do

Do your data mapping! Know where your data is stored and what your plan is going forward. This will allow you to clearly see what steps you need to take next.

  • Know whose data you have, and distinguish how much of that data has explicit consent supplied for it and what doesn't.
  • Draw up a data retention policy for your internal employee data.
  • Set out a training plan for people within your business who will be handling personal data, ensure that they know about the requirements of GDPR.

Still a little unclear as to how GDPR could affect your business? Get in touch and we'd be happy to provide more specific insights.