GDPR implications on small businesses

20 December 2017

In the following article, Dafydd Owen Jones from Mabis explores the implications of the new General Data Protection Regulation (GDPR) on small business.

On the 25th of May 2018 the New European General Data Protection Regulation (GDPR) comes into force which will replace the 1988 Data Protection Act (DPA). All companies operating in Europe will have to comply with these regulations regarding the collection, storage and use of personal information.

The good news for small businesses is that they will be treated slightly different from larger organisations, but it’s still good practice for small businesses to follow GDPR guidelines.

Although the UK will be leaving the EU, UK organisations must still comply with GDPR regulations as the Government has said they will replace the DPA with regulations that are identical to the GDPR.


What Sort of Data is Controlled?

Organisations must be transparent with the data they collect and how they use it. Personal data that’s covered by GDPR is much wider than what the DPA covered and includes:

  • Names and Addresses
  • IP addresses
  • Online Cookies
  • Health information
  • Biometric and Genetic information
  • “any [other] information relating to an identified or identifiable natural person


Challenges that small businesses might find with GDPR include being in control of information they don’t know that they have i.e. they may have personal data on an old USB drive lost in a filing cabinet. GDPR requires the organisation to find the data and store them securely.


What Does this Mean for Organisations?

The organisation must keep personal data secure through using appropriate technical and organisational measures. The organisation must also be able to show how they keep and process personal information of customers, employees, suppliers etc.

The legislation mainly affects organisations with more than 250 employees. However smaller organisations affected by the DPA will have to comply with the stricter GDPR rules when dealing with personal information.

Every organisation should assign a Data Protection Officer who should conduct internal audits on the collection and use of data as well as ensuring that all staff know their responsibilities as far as GDPR laws go. It’s also the Data protection Officer’s job to report breaches in data security to the Information Commissioner’s Office (ICO) within 72 hours.

The Data Protection Officer should conduct a Data Protection Impact Assessment (DPIA) if the data processing is “likely to result in a high risk to the rights and freedoms of natural persons”.


What does this mean for individuals?

The objective of GDPR is to give individuals control of their information. Information of individuals will be kept more securely after GDPR regulations come in. The individual will have the right to know what information is being collected and how it will be processed. If the data collected is inaccurate or has changed then the individual has the right to rectify the incorrect data.

Individuals have the right to have their data erased through their “right to be forgotten” if they withdraw their consent of use of personal data or if the data is no longer required. All information that’s collected by any organisation must be obtained by unambiguous consent of the individual by opt in rather than opt out.



There are substantial fines for non-compliance with GDPR with a maximum fine of €20,000,000 or 4% of the turnover of the organisation, whichever is largest. So businesses must not hide away from GDPR as it is here to stay.

Complying with GDPR is not a simple task. but you have until May of 2018 to get your organisation up to speed with the new regulations.

Further information about the implications of GDPR can be obtained from the Information Commissioner Office's website

For practical support, Mabis offers a variety of business support services including tendering, translation, marketing, research and HR solutions. Operating throughout Wales, we are able to deliver all our services bilingually.

Get in touch on 01970 636565 or email

Our latest tweets

Cofiwch ddod draw i ddweud helo wrth griw @cywain_mab yn y Sioe Frenhinol wythnos nesa’!
Today 71 members of staff from @menterabusnes did a beach clean in Borth, Ceredigion. Well done everyone that took…
Heddiw, bu 71 aelod o staff Menter a Busnes yn brysur yn casglu sbwriel plastig oedd ar lan y môr Borth. Da iawn pa…
Swyddi Menter a Busnes yn cael eu hysbysebu yma, dewch i gael sbec #cywain #swyddi