What does the EU’s General Data Protection Regulation (GDPR) mean for your business and what impact is it likely to have in real terms?

Most small business owners will be aware that the EU’s General Data Protection Regulation comes into force on 25 May 2018, but few will know what that means in real terms. There are severe penalties for those who do not enforce the strict new rules, so it’s essential you understand the responsibilities the regulation will bring.

Research has shown that even global businesses aren’t ready for the new regulations, with just a third (33%) currently having a plan to comply with GDPR in place. However, the sooner you start the journey to becoming GDPR-compliant, the lower the likelihood of receiving a fine, bad publicity or even becoming embroiled in a legal process will be.

What is the General Data Protection Regulation (GDPR)?

The main aim of the GDPR is to enforce and permanently change the way businesses collect, store and use personal data. The key requirements of the regulation include:

  • Auditing the current data protection measures you have in place;
  • Documenting all the information you hold;
  • Ensuring all your data collection procedures are GDPR-compliant.

Although the GDPR is an EU directive, the UK government has confirmed the new rules will be implemented regardless of the form our withdrawal from Europe takes. For that reason, there’s no point delaying your strategy to deal with the new regulations and in fact, you’d be wise to start planning now.


What does the GDPR mean for small businesses?

The new regulation applies to all businesses selling to and storing personal information about consumers in Europe. It effectively takes power away from businesses that collect and use data for monetary gain and gives it back to individuals, prospects, customers, contractors and employees.

According to the GDPR, personal data includes information such as names, email addresses, photos, bank details, social networking sites, locations details and computer IP addresses. It gives individuals a number of rights in regard to this information, including:

  • The right to access data held about them
  • The right to be forgotten
  • The right to transfer their data from one service to another
  • The right to be informed before data is gathered
  • The right to have information corrected
  • The right to request their data is not used for processing
  • The right to object to their data being used
  • The right to be notified of a data breach


What must small businesses do to comply?

The GDPR is certainly not just an IT issue – far from it. Instead, it has wide-ranging implications for the whole company, including how marketing and sales activities are handled. The Information Commissioner’s Office has created a checklist that details the steps organisations should take to ensure they are ready for May 2018.

If you are concerned with your ability to cope with the implications or simply don’t have the time to make the changes yourself, now is the time to seek assistance from a third-party such as a security firm or consultancy. You may also need to appoint a data protection officer who is responsible for ongoing GDPR-compliance.


The hidden benefits

Although businesses will have to keep up with a number of extra requirements in regard to how they handle and process personal data, GDPR-compliance could also change your business for the better. Small businesses can use GDPR as a stepping stone to best practice around the handling, control and security of information and improve the quality and integrity of the information they hold.

Please click to confirm you are not a robot to complete the form.


Get a feel for whether KPMG can make a real difference to your business.

View Services


Think about how much time or money you already spend, and see what you could save.

View Pricing

Request a Quote

Find out how KPMG could make a real difference to your business.

Request a Quote