Skip to main content
Become a member

  • Register
  • Login
Register Login



Will the new General Data Protection Regulation (GDPR) affect your SME?

22 Feb 2017
Animated padlock computer chip

Small and medium-sized businesses are not exempt from the new General Data Protection Regulation (GDPR), which is expected to come into effect mid-2018. Here, we highlight just some of the measures that your business will need to put in place to avoid any penalties.

If your business is already complying with the current Data Protection Act (DPA) then it’s likely that your approach to compliance under the new GDPR will remain valid and can be built upon. However, there are few things that you may not be aware of or may have to rejig completely in the period leading up to enforcement in 2018. They include…

Data protection officers

An early draft of the GDPR stated that a mandatory data protection officer (DPO) with “expert knowledge of data protection law and practices” be appointed in organisations with 250 employees or more. However, this restriction was thrown out in the final draft and a DPO must be appointed if the core activities in your SME involve “regular and systematic monitoring of data subjects on a large scale,” or the large-scale processing of “special categories of personal data” – regardless of the organisation’s size.

Demonstrating compliance

Businesses are no longer required to notify the Information Commissioner’s Office (ICO) of their data processing activities, but are instead required to maintain records of their processing activities. There is, however, an exemption for controllers and processors of data with fewer than 250 employees on the condition that the processing does not pose a risk to the rights and freedoms of data subjects, is occasional and does not relate to sensitive personal data.

Data subject access requests

Under the new GDPR, individuals will have more information on how their data is processed. In most cases, organisations won’t be able to charge for complying with a request, but where requests to access data are manifestly unfounded or excessive, SMEs may be able to charge for or refuse them. Instead of the current 40-day compliancy timeframe, businesses will usually have only a month to comply with requests.


While is was initially proposed that SMEs could get a written warning for their first non-compliance and unintentional offence, this was thrown out of the final draft. As a result, SMEs will be subject to a fine of up to €10m or two per cent of worldwide turnover, whichever is greater, for violations of record-keeping, security and privacy impact assessment obligations. For more serious failures, companies can be fined up to €20m or four per cent of worldwide turnover.

While the above components of the GDPR are important, this is not a definitive list. Find out more information on what you can do for your company to meet what might be the defining business challenge of the 21st century at the IoD Cyber Security Summit 2017. 

The IoD Cyber Security Summit 2017

The IoD Cyber Security Summit will take place 27 March at 116 Pall Mall. This morning briefing will cover not just the emerging global and national trends in the cyber crime arena, but provide practical steps on what you can do for your business straight away to meet what might be the defining business challenge of the 21st century.

Book tickets

Contact Press office