Get Free Downloads
Start your GDPR today in just a few clicks
Get Free Downloads
Start your GDPR today in just a few clicks

GDPR FAQs For Small Organisations

by Adam Brogden
in Blog

21-Aug-2019 12:11

What Is the GDPR?

The General Data Protection Regulation is a European-wide law that replaces the Data Protection Act 1998 in the UK. It places greater obligations on how organisations handle personal data. It came into effect on 25 May 2018.

What information does the GDPR apply to?

The GDPR applies to ‘personal data’, which means any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.

Does the GDPR only apply to EU organisations?

The GDPR applies to processing carried out by organisations operating within the EU. It also applies to organisations outside the EU that offer goods or services to individuals in the EU.

How can I prepare?

You can find the latest guidance on the new legislation at we’ve created packages of documents aimed at small and micro businesses.

My firm employs fewer than 250 people. Am I exempt from the GDPR?

You’ll have to comply with the GDPR regardless of your size, if you process personal data.

Do I need to appoint a data protection officer (DPO)?

Under the GDPR, you must appoint a DPO in certain circumstances.Contact us for more information.

Can I have specific policies and procedures for my sector?

Yes. Check out we’ve created packages of documents aimed at different types of companies, these document packs will help you through the GDPR process quickly and easily.

What are the rules under the GDPR for subject access requests?

The right of access under the GDPR contains important differences around fees, time limits, refusals, electronic format, refining requests and method of access.

Can you help me decide what to include in my privacy notice?

The GDPR sets out the information that you should supply and when individuals should be informed.The information you supply about the processing of personal data must be: concise, transparent, intelligible and easily accessible; written in clear and plain language, particularly if addressed to a child; and free of charge.

What are the criteria for issuing monetary penalties?

There are certain criteria that the ICO will assess before imposing a fine, such as: the number of people affected, any damage to the data subjects, the negligent or intentional nature of the infringement and action taken by the data controller to mitigate the damage.However, the GDPR has introduced some new criteria, such as:

  1. The controller’s adherence to codes of conduct and approved certification mechanisms

  2. The extent to which the data controller notified the supervisory authority of the infringement and co-operated with it.

As well as fines, the ICO has other mechanisms to change the behaviour of organisations such as warnings, reprimands or corrective orders.

Hope this helps – feel free to call us anytime.