A Basic Guide to GDPR for SMEs

If you are reading this, you are probably aware that Data Protection Laws are changing on 25th May 2018 – less than 2 months away! While many people are worried about the new regulations, we are here to assure you, there is no need to panic! For many companies, you may even be complying with many of the new laws already.

For a small company, complying with GDPR can feel particularly daunting so we have put together a short guide to help you get started. The purpose of this guide is to assist you with the initial steps to prepare you for the 25th May. Much of this information is pulled directly from the Information Commissioner’s Office (ICO)  guidelines – but hopefully, we have clarified it and presented you with real-world solutions that you can directly incorporate into your company or organisation.

Just to be clear, this guide should not be your only reference when it comes to complying with GDPR. While this is a great place to begin for SMEs, you must also do your own research when it comes to your organisation’s specific case. If you’d like to chat to us further about how we can help you prepare, please get in touch here



So, let’s start by going back to basics. What exactly do the new laws mean by ‘personal data’?

The ICO defines ‘personal data’ as “any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.

But what does this mean in practice? Very simply, data is any information you collect on any individual directly or indirectly. Data could come in the form of an email address, phone number, an IP address, the individual’s interests such as whether they like ice cream or pizza… you get the picture.

Data includes cookies on your website, any online forms that are collecting information, and data you collect using third party apps such as Google Analytics or MailChimp. 



You must have a lawful basis for processing data. There are 6 lawful bases and you must fall into one category (and include it in your privacy notice).

(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.

(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.

(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).

(d) Vital interests: the processing is necessary to protect someone’s life.

(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.

(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)

[Reference: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/]



Very simply, you should make the appropriate parties aware of GDPR changes within your organisation or company.

This means that anyone who is responsible for or party to collecting data on behalf of the company will need to understand how their responsibilities will change.



A good place to start is to identify the information and data that you collect, who you share it with and how/if you record it. This includes any data you have collected by non-traditional avenues (i.e. not via a form that has been filled out on your website).

The ICO draws your attention to any data you have collected in the following ways:

– observed, by tracking people online or by smart devices
– derived from combining other data sets; or
– inferred by using algorithms to analyse a variety of data, such as social media, location data and records of purchases in order to profile people for example in terms of their credit risk, state of health or suitability for a job.



It is a good idea to put your privacy notice clearly on your website if you have not already done so, and review the information you have detailed in your privacy notice. It is worth spending time on this since you can refer any data protection queries to this page in future.

You must ensure your privacy notices are transparent which means they answer these questions clearly:

– What information is being collected?
– Who is collecting it?
– How is it collected?
– Why is it being collected?
– How will it be used?
– Who will it be shared with?
– What will be the effect of this on the individuals concerned?
– Is the intended use likely to cause individuals to object or complain?

Or more simply:

– who you are;
– what you are going to do with their information; and
– who it will be shared with

You may also want to include the lawful basis you have for processing data.

This should be provided in clear, concise, easy-to-understand language.

Online is not the only way you can communicate your privacy notice. If you are going to a conference, for example, and intend to collect email addresses for your e-newsletter, there are other options of communicating your privacy notice.

Your privacy notice can be communicated:

– Orally, face to face or when you speak to someone on the telephone (make sure to document this with a date and signature).
– In writing – printed media; printed adverts; forms, such as financial applications or job application forms.
– Through signage – for example an information poster in a public area.
– Electronically – in text messages; on websites; in emails; in mobile apps.

Just ensure you keep records of how each individual received your privacy notice!



These rights include:

–  the right to be informed;
–  the right of access;
– the right to rectification;
– the right to erasure;
– the right to restrict processing;
–  the right to data portability;
– the right to object; and
– the right not to be subject to automated decision-making including profiling

This means that you must clearly give individuals the choice in how their data is being used. They will have the right to amend or delete their records and you must be able to comply.

At this point, you must ask yourself: can you locate and delete an individual’s data if it is requested? If requested, can you provide an individual with a report detailing how and when their data has been used historically?



If an individual requests for you to send them a report on how their data has been used or for their data to be deleted, you will have one month to comply with this request.

The good news is that if a request is unfounded or excessive, you can refuse to comply.  If you do refuse, however, you must do so within a month and give a clear explanation as to why.



You will need to review and refresh your consent processes if they do not comply with GDPR laws.

The first thing you must consider is which lawful basis you are operating under to process an individual’s data. In many cases, this will mean that if you are unable to locate and document how/when you gained consent to use an individual’s data, you must ask them for their consent again.

If you have been seeking permission to use an individual’s data and recording it in a way that already complies with GDPR, then you do not have to re-seek permission from your existing email list.

Keep in mind that consent must be given with a positive opt in. In other words, a pre-ticked box or equivalent silence will not be acceptable and it must be given separate from your terms and conditions.

When asking for consent, include:

– the name of your organisation;
– the name of any third party controllers who will rely on the consent;
– why you want the data;
– what you will do with it; and
– that individuals can withdraw consent at any time



If you are processing personal data of children, you will need to take extra care and read the guidelines carefully. Largely, the laws around children’s data protection is the same as it is for adults however, clarity and transparency should be central to all of your data processes.

If your lawful basis relies on consent, you will need to be aware that only children over the age of 13 years old is able to provide his or her own consent. Otherwise, you will need the consent of their parent or guardian (although there are mitigations for this).

See more here: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/applications/children/



You must designate a DPO if you are a:

– a public authority (except for courts acting in their judicial capacity);
– an organisation that carries out the regular and systematic monitoring of individuals on a large scale; or
– an organisation that carries out the large scale processing of special categories of data, such as health records, or information about criminal convictions

If you do have to designate a DPO, ensure you research the responsibilities of this individual.


Please note that this article represents the views of the author solely, and are not intended to constitute legal advice. 


Why we chose to partner with Kentico

We are so pleased to announce our new partnership with Kentico enterprise solutions. With GDPR fast-approaching and data-driven marketing becoming increasingly important, we wanted to find a reliable content management system that could support our clients needs in the long term. When we found Kentico, we knew we didn’t have to look any further!



We hear over and over again from clients that their website has become “outdated,” both in aesthetics and functionality – and they’re not wrong to worry. Online browsers have less tolerance for outdated websites than ever before. The problem is that the online world changes so quickly which means your website will age at a rapid rate unless you keep on top of it. But of course, this can be extremely expensive.

We chose Kentico because it is a stable scalable solution. It provides our clients with the benefits of out-of-the-box functionality – including an easy to use backend – with the ability to customise and grow their websites. In other words, this solution means that your company won’t outgrow the capabilities of your platform.



When it comes to digital marketing, there is so much that you can do using your website alone, so we sought to find a partner who could provide our clients with an easy-to-use platform which would incorporate smart and intuitive marketing, resulting in an increased number of leads and conversions coming through your website.

The best way to do this is through personalised content curation. This means that you can present each visitor with content that best matches their interests and automate the marketing collateral they receive based on where they are in the customer life cycle.

With Kentico’s lead scoring system, you can easily target and curate content based on the customer’s engagement with your brand. For example, if a customer on a news site only browses the technology section, you can curate the homepage they view to only show them technology articles. And further than that, you can send them automated e-mails with content they are interested in. Each customer who visits your site will see the information most relevant to them making them more likely to engage with your company.



The GDPR frenzy has been on everyone’s mind in 2018, and as a website agency, we needed to ensure that we had a reliable solution. Our partnership with Kentico means that we can build an easy-to-use 100% GDPR compliant CMS. This means that all of your customer/client data lives in one place making it a simple click of a button to download or delete a single user’s data.

Websites and marketing programmes capture a huge amount of data, some of which you may not even be aware of, and this is where a Kentico CMS can bring a big advantage. When you’re juggling between your CMS, mailchimp and/or any other marketing platforms you’re using, it can be difficult to consolidate all your data in one place. But with Kentico, it all lives under one roof (in a manner of speaking) which means it is easier to access and amend. Further to that, it means that you can safely and securely market to your audience without worrying you are breaking any GDPR regulations.