How European data protection laws are changing – and what it means for SMEs


Strict new data protection laws come into play in 2018. SMEs need to be well prepared.

Greater scope and tougher fines: it’s a phrase that perfectly summarises the new General Data Protection Regulation (GDPR), coming into effect in May 2018.

The legislation is an EU initiative but will go ahead in the UK regardless of the outcome of Brexit. And it affects every business, large or small.


The current Data Protection Act came into effect in 2000 at a time when only large companies stored data.

Now, everyone does – whether it’s names, addresses, social security information, financial details or browsing histories – and much of it is stored online.

The changes of UK data protection laws aim to bring data protection up to scratch and in line with the huge technological advancements of the last 20 years.


Principally, the new regulations revolve around the issue of consent. This concerns what data is stored and where. As of 25 May 2018:

  • Companies must keep a record of how and when an individual gives consent for personal data to be stored.
  • This consent cannot be passive (eg. a pre-ticked box). There must be a clear audit trail, such as consent forms or screen grabs.
  • Individuals have the right to withdraw their consent at any time. Their details must then be permanently erased, giving them the ‘right to be forgotten’.
  • In the event of a data breach, companies must inform relevant authorities within 72 hours, with full details and proposals to mitigate the effects.

Companies failing to comply with these rules will face increased sanctions. UK firms could be fined up to €20 million (£17 million) or 4% of global turnover, whichever is greater1. The current maximum fine is £500,000. Fines are likely to be smaller for SMEs, but details have yet to be published.


A recent report from the Federation of Small Businesses (FSB) states that small businesses are more vulnerable to cyber attacks than larger firms. The report on cyber resilience says 66% of small businesses have been a victim of cybercrime2. Across 2014 and 2015, cybercrime cost small businesses around £5.26 billion3.

SMEs need to know what data they already have and put systems in place to track what data comes in and exactly where it is stored (servers, the cloud, hard drives etc.).

Any new product or business process should be designed with the new data protection requirements in mind. The complex nature of GDPR means SMEs might consider hiring a legal expert to help them navigate the requirements.

Although the legislation is targeted more at larger firms, and less for firms with fewer than 250 employees, even the smallest sole trader operating out of their home is covered by GDPR. If there’s commercial activity, then it’s included in the regulations.

Additionally, if a smaller company supplies a larger one, it needs to be fully aware of the extra data on clients or employees it has access to – and then take the necessary steps to protect it.

For UK SMEs, the picture has yet to become completely clear. As well as the GDPR, the government has proposed an overhaul of UK data protection laws4. Many aspects of the suggested changes are included in the GDPR, although some may differ. The situation is shifting.

One thing that is certain is that the stakes are about to be raised drastically. Businesses must get a handle on the data they have, whose it is, where it is stored and for how long they have it.

You can find a detailed overview of the GDPR legislation here.


1 BBC. (2017). UK data protection laws to be overhauled

2 FSB. (2016). Cyber resilience: how to protect small firms in the digital economy, p3

3 FSB. (2016). Cyber resilience: how to protect small firms in the digital economy, p6

4 (2017). General Data Protection Regulation: Call for Views