Seven Steps for SMEs – European Commission’s guidance on GDPR

It is now less than 2 weeks before GDPR goes live, yet many organisations, particularly smaller businesses and companies, are not yet adequately equipped for the changes and challenges they face.

Dan Dowen, commercial and IP solicitor, takes a look at recent guidance issued by the European Commission as to how SMEs should be approaching GDPR.

After months of discussing GDPR with our clients, one of the more common questions comes from small businesses who do not handle personal data as a core business activity who ask “does GDPR apply to me and my organisation?”.

Well, if you are a small business who hold personal data of your employees or clients and customers then, yes GDPR will apply.

The European Commission has recently released guidance for SMEs who may not collect or process much personal data and the steps that these organisations should be taking:

1 – Check the personal data you collect and process. Do you have employees or lists of customer details? If so, then you will be processing personal data. Have you considered why you process that data and the lawful basis for doing so?

2 – Inform your employees, customers and other individuals when you collect their personal data as well as what you do with it and how you process it. Do you have a privacy information notice in place to make this information available?

3 – Keep the personal data for only as long as necessary.

4 – Secure the personal data you are processing. If you store personal data on IT systems then limit access by passwords and regularly update your security settings. If you store physical documents containing personal data, ensure that the filing system is locked and not accessible by unauthorised persons.

5 – Keep documentation on your data processing activities and prepare an internal document to explain the following:

  • What personal data you hold and the reasons for doing so
  • The purpose of the processing
  • The categories of data subjects concerned
  • The categories of recipients – i.e. who you send the data to
  • The storage periods
  • The technical and organisational security measures in place to protect the personal data
  • Whether personal data is transferred to recipients outside the EU

6 – Make sure your sub-contractors respect the rules. If you sub-contract processing of personal data to another company use only a service provider who guarantees that they process in compliance with GDPR.

7 – Do you need to appoint a Data Protection Officer? You will need to appoint a Data Protection Officer (DPO) if you carry out large scale systematic monitoring of individuals (i.e. online behaviour tracking) or carry out large scale processing of special categories of data relating to criminal convictions or offences.

Whilst the European Commission has released these guidelines for complying with GDPR it is not an exhaustive list and there are many actions SMEs can take to ensure that they comply and, importantly, demonstrate their compliance with GDPR.

For more information on how Berry Smith can assist you with your GDPR compliance or any other commercial matter, please contact Dan Dowen at or on 02920 34 55 11.


Dan Dowen – Solicitor, Berry Smith Lawyers