A healthy and thriving small business sector benefits us all, and we should celebrate its contribution to the UK economy and society as a whole.

By Elizabeth Denham,
Information Commissioner

But people’s legal right to privacy doesn’t have to be the price of doing business and the Information Commissioner’s Office (ICO) is here to help all organisations prepare for the the General Data Protection Regulation (GDPR), whatever their size.

The new regime will apply from 25 May 2018 but research has suggested the small business sector is less prepared than others for the changes.

With that in mind, the ICO is supporting SMEs by providinga range of dedicated products, resources and advice to help them
prepare for the new data protection laws. This includes:

• The ICO’s Guide to the GDPR, which includes links to all theadvice and guidance that is currently available and which will be the first place to get the latest updates;
• A Getting ready for the GDPR self-help checklist which produces a bespoke report on what SMEs will need to do;
• An FAQs document answering the questions that have been asked most often by SMEs; and
• A dedicated GDPR preparation helpline for small organisations – 0303 123 1113, option 4.

In addition, the ICO also has a downloadable 12 steps to take now to prepare for GDPR graphic and has also published a series of blogs shattering some of the myths around the new
legal regime.

You can refer back to these resources again and again, as GDPR compliance won’t end on 25 May – it will be an ongoing journey and a continuous, evolutionary process for organisations. No business stands still. You will be expected to continue to identify and address emerging privacy and security risks in the weeks, months and years beyond May 2018.

Whether you have 20 or 200 staff, by now you should be putting measures in place to ensure your organisation implements responsible data practices:

• Organisational commitment – Preparation and compliance must be cross-organisational, starting at the top. There needs to be a culture of transparency and accountability as to how you use personal data – recognising that the public have a right to know what’s happening with their information.
• Understand the information you have – document what personal data you hold, where it came from and who you share it with. This will involve reviewing your contracts with any third party processors or contractors to ensure they’re fit for GDPR.
• Implement accountability measures – Consider your lawful bases for processing personal data, review your privacy notices, design and testing a data breach incident procedure that works for you. Think about what new projects or products in the coming year could need a Data Protection Impact Assessment. Depending on the type of business you are and what
  you do, this might also involve appointing a data protection officer if necessary.
• Ensure appropriate security – you’ll need continual rigour in identifying and taking appropriate steps to address security vulnerabilities and cyber risks.
• Train your staff – Staff are both your best defence to a data breach and your greatest potential weakness – regular and refresher training is a must.

It is vital you start now if you haven’t already. There will be no ‘grace’ period for compliance – there has been two years to prepare and we will be regulating from this date.

That said, we pride ourselves on being a fair and proportionate regulator and this will continue under the GDPR. Those who self-report, who engage with us to resolve issues and who can demonstrate effective accountability arrangements can expect this to be taken into account when we consider any regulatory action.

We know that budgets can be tight, technology is moving fast and there’s a race to keep up with competitors. That’s probably even more so for small businesses. But if you can demonstrate that you have the appropriate systems and thinking in place, you will find the ICO to be a proactive and pragmatic regulator aware of business needs and the real world.

Good information handling makes good business sense. It can improve your reputation, increase customer and employee confidence and can save both time and money. And all businesses, whatever their size, would welcome that.