2019 Update General Data Protection Regulation — GDPR

Off my normal topic today – but to say I’m a little peeved is an understatement.

Yesterday I took up the option to attend a presentation put on by one of the UK Business Networks about GDPR.

As you some of you know my background and history is financial services, heavily regulated and profoundly driven by rules – it’s something I get and fully understand. It also allows me to spot utter rubbish when I see and hear it.

The bad guys are out there and it’s the reasons we have rules changing all of the time.

Believe it or not UK Government or the EU are not out to punish us small business owners, but they do want to protect consumers. GDPR is primarily designed to make sure large business owners comply with various rules but, small firms and sole traders are going to get caught up in the issues.

The problem I have is this. Some of those ‘consultants and and GDPR specialists’ are not acting in the interests of small and micro businesses.


The changes that this brings for small business is going to be profound, well so it seems.

If I were to believe the hype delivered by the consultancy firm that delivered the presentation last night I’d be crying in my beer and woefully depressed – thing is that’s not the case.

The whole thing was presented in a very slanted way and it is my firm view that they (not going to name the firm) are being deceitful.

Basically telling massive ‘porky pies’ –  about how the Data Protection body is funded, the impact of fines and also spreading mistruths about the way other regulators operate.

Importantly the whole presentation was focused on the possible issue of fines and threats to your business instead of delivering the facts about your options as small business owner and outlining properly the action that you need to take.

Fact is the GDPR is designed to hold large businesses to account and not to punish small firms, there have been a number of large scale attempts to steal consumer data and use this for crime. That is not fair on consumers. There is clear evidence that this has happened and consumers have been affected financially.

It’s always been the case that if you lose your clients data and that data is used to extort money from a third party you, the business owner – data controller; is responsible for your customers losses and you are forced to notify those customers of any breach and give them some options.This is not new.

But, the GDPR is far reaching. It covers paper as well as digital records. Bottom line..

If you are holding and sharing your customer data you should make it clear, via a policy document why you are holding that data and what you do with it.

You also have a legal obligation to hold some client data – for example invoices and transaction information because of  Inland Revenue guidelines along with VAT  and information for things like warranty and servicing. Which means there is no wriggle room.

Compliance is the only way.

The presentation given last night seemed to indicate that there was a conflict between what the GDPR wanted, the rights of your customer to have their data protected (and forgotten) and the law.  There is no conflict, the law is the law.

As a business owner you do need to be open about what data you store, how you store it and why, and then document that.

Small Business  – Sole Trader?

Go here Checklist – Important Information that’s the ‘horses mouth’.

Once you looked through those docs, if it’s still confusing – go here. Contact me and I’ll help you. Just so know, I don’t share, loan or lend your personal information.

If you have any sense, you won’t store credit card details on file and use a payment processor that handles the confidential information for you on their server. This solves one conundrum — if you don’t have data stored then you can’t lose it!

Other personal information that you may share e.g delivery information is pretty easy to solve. You tell your customers, via an automated email/terms of business that their addresses is shared with a courier for example and then make sure your courier complies.

If you use an overseas web server to host your website then you may want to consider bringing this in house – under your control (makes more sense than anything else) and have it hosted on your space rather than your website designer in the UK or Europe.

Using strong encryption on your stored files and making sure that access is limited, not allowing ‘administrator users’ ‘ on your Windows installation and putting in place robust security for passwords – like Two Factor Authentication solves many security problems at virtually no cost.

Didn’t hear any of that last night.

You also need to be prepared to provide your customers with the information that you hold on them. If you are using some kinds  accounting package or customer management system – this should be easy to do. Nothing complicated there, just be prepared.

If you are holding ‘paper files’ then moving across to a digital system and scanning documents will make sense but brings other problems.

GDPR for and small and micro businesses is about having documented practices, using your client data in a way that you’d be happy for your data to be used (i.e not sold or loaned) and making sure that you have secured the data correctly.

Fact is most small businesses don’t survive a loss of data, most small business don’t have a written policy on data protection or management.  But this does not have to be onerous.

  • You will need to use PCI compliant web services for processing cards.
  • You will need use encryption on your data
  • You will need to  hold client data in safe way

You must be prepared to be aware of  breaches of data, tell your clients if you’ve had one and give customers the information held on request.

GDPR has been implemented to ensure that those big data controllers a bought back into line and forced to act in a way that is good for consumers  – it’s not designed to shaft small businesses.

The ‘Snake Oil Salesmen’  – or GDPR Consultants are trying to scare the shit of the one man bands and will take money off you for no real reason and offer little in return – this is the real crime of GDPR – not the legislation that’s coming .

GDPR is good business practice, it will make you think about your business processes and systems and it will make you care more about your customers, perhaps even make contact with them to explain how you are approaching things, and how that will make it better for them.

And yes you will need to register with the ICO and yes you can take the test to see if you need to comply with some other rules. But you don’t have to tie yourself up in knots over it.

As a small business the cost of compliance should be very small –  but it will make a world of difference to how you run your business and that’s a good thing.

Links are below.

Start with the ICO questionnaire and move forward from there.

If you are stuck with any of this and need some help, get in touch. I can offer you a fixed price service for all of this, without taking your first born.

​© Richard Smith 2018
…the brutally honest truth about growing a small
business in a world of self-interested crooks, scallywags
and charlatans.



Does the GDPR apply to me?

Does the GDPR apply to me?

Originally written by Luke Irwin 24th July 2017

We’ve heard from a lot of companies recently that were surprised to learn that the EU General Data Protection Regulation (GDPR) applies to them. The Regulation, which takes effect in May next year, is huge in scope, unifying data protection laws across the EU. Its scale has led to many companies presuming that it only applies to companies that process large volumes of personal data. However, depending on a handful of factors, no matter what size a company is, it may be subject to the Regulation’s requirements. Here are a handful of questions to determine whether you need to pay attention to the GDPR:

Do you process EU residents’ personal data?

If you do, then the GDPR probably applies to you.

It doesn’t matter whether you are based in an EU state or not – if your company processes, stores or transmits personal data belonging to EU residents, then you will almost certainly be required to comply with it.

Are you engaged in economic activity?

The one caveat to that that the GDPR does not apply to people processing personal data in the course of exclusively personal or household activity. This means you wouldn’t be subject to the Regulation if you keep personal contacts’ information on your computer or you have CCTV cameras on your house to deter intruders.

To fall within the remit of the GDPR, the processing has to be part of an “enterprise”. Article 4(18) of the Regulation defines this as any legal entity that’s engaged in economic activity. You must be careful not to mistake business conducted from home for household activity.

Does your organisation have fewer than 250 employees?

The GDPR broadly expects all small and medium-sized enterprises (SMEs) to comply in full with the Regulation, but it makes some exceptions for organisations that have fewer than 250 employees.

The Regulation acknowledges that many SMEs pose a smaller risk to the privacy of data subjects than larger organisations. For example, Article 30 of the Regulation states that organisations with fewer than 250 employees are not required to maintain a record of processing activities under its responsibility, unless “the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data […] or personal data relating to criminal convictions and offences”.

Do you need to register?


Small Business Advice from the ICO







Funding of the ICO




Cloud Hosting


Scroll to Top