Small Business GDPR Audit

GDPR Presents a rare opportunity for small businesses

On the 25th May 2018 the EU General Data Protection Regulation becomes law as part of the UK’s Data Protection Act 2018. There are many requirements and you can get an overview here.

UPDATE: The UK Data Protection Act 2018 received Royal Ascent on 23rd May 2018.

Part of the requirements is that you conduct an audit of all the data entry points that you have and identify a number of elements to it, including the legal bases, customer classification and a number of other things.

As a small business, a lot of the legislation may not apply, but you have to identify your data sources (do an audit), Adhere to your Data Protection Policy (containing all the new rules that pertain to your business) and send a “Privacy Notice” to your customers that you now have and ensure you have an appropriate and adequate process in place to deliver the new “Privacy Notice” whenever you take any contact details or other personal data from employees (inc sub-contractors or casual staff).

If you are a small business of under 5 people, don’t send out newsletters or do email marketing, we will conduct an audit for you, provide you with a copy of your audit (for your records) and include a tailored “Data Protection Policy” and a bespoke “Privacy Notice“, that you can use as a stand-alone hand-out, on your website or via a download link, or to incorporate it into your terms of business.


As a Small Business, do I Need To Worry?”

Quick check: Focus on your data collection. Does your business hold HR records, customer lists and contact details, employee records, for example? Most do.

This is confirmed by the, who state; “You can assume that if you hold information that falls within the scope of the DPA, it will also fall within the scope of the GDPR”.

Manual vs. auto-filing

Whether it’s you keeping a spreadsheet of customer contact details, or an automated digital capture system, the GDPR will apply.

What Is Personal Data?

The GDPR applies to ‘personal data’ (see Article 6) meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.

This definition provides for a wide range of personal identifiers to constitute personal data, including name, identification number, location data or online identifier, reflecting changes in technology and the way organisations collect information about people.

The GDPR applies to both automated personal data and to manual filing systems where personal data are accessible according to specific criteria. This could include chronologically ordered sets of manual records containing personal data.

How Does This Affect Me?

The GDPR applies to ‘controllers’ and ‘processors’. 

A controller determines the purposes and means of processing personal data.

A processor is responsible for processing personal data on behalf of a controller.

If you are a processor, the GDPR places specific legal obligations on you; for example, you are required to maintain records of personal data and processing activities. You will have legal liability if you are responsible for a breach.

However, if you are a controller, you are not relieved of your obligations where a processor is involved – the GDPR places further obligations on you to ensure your contracts with processors comply with the GDPR.

Don’t Just Take Our Word For It 

These sites for small business and the GDPR will help explain things a little more for you. The Federation of Small Businesses and the ICO are at the bottom


Prices start from £250 for very small businesses (one man bands/retail etc).

Typically under 20 employees, £350.

20 to 50 employees £650 and

50-249 employees, £1,200.

Larger businesses please apply with details of the number of staff and marketing activity.

gdpr for small business dpa 2018

Or contact us via email at


Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.