There has been a lot of media hype about the General Data Protection Regulation (GDPR) recently, including stories abound about huge fines for non-compliance and onerous obligations for organisations.

For small businesses, getting to grips with the GDPR can be a big challenge, but there are several steps they can take towards getting ready for the new legislation.

What is the GDPR?

The GDPR is a new piece of European legislation that brings existing UK legislation (the Data Protection Act) in line with new technological developments.

While a lot of the requirements build on existing law, it does introduce some significant changes that pubs should already be thinking about and must act upon. This includes higher fines for non-compliance (of up to £17m), new obligations to notify the regulator of a data breach and strengthened rights for individuals giving them greater control over their personal data.

The GDPR comes into force on 25 May 2018, so businesses need to act quickly to be ready in time.

What do businesses need to do?

The Information Commissioner has published some useful guidance on the steps that businesses should take. This includes a twelve-step check list and a toolkit for small businesses, which can be found of

In particular, companies should think about:

Data mapping

Businesses need to understand what personal data they are collecting, how it is being used, where it is stored and how it is shared. This includes information about employees, contractors and customers. The GDPR requires organisations to keep a central record of all their data processing activities, so this data map will help form the basis of your data record.

It is also necessary to analyse all the purposes for which the business is using personal data and to understand the legal basis it is relying on to use the data for that purpose, of which there are six under the GDPR. One is consent – but individuals can withdraw their consent at any time and there is a higher standard to obtain valid consent under the GDPR.

Another legal basis is where you have a legal obligation to process personal data, which is often the case with employee data. Others include where it is necessary to form a contract with the individual to process personal data, and where it is in the company’s legitimate interest to process personal data and those interests aren't outweighed by the rights of the individual.

Privacy notices

Businesses must prepare a privacy notice that explains how they use personal data. This must comply with all of the requirements for transparency under the GDPR and be provided to all individuals whose data is processed. A privacy notice could be included on the organisation's website, or in documentation that is provided in hard copy to individuals.

Individuals' rights

The GDPR introduces a number of new rights for individuals. In addition, existing rights to access one's personal data remain in place. Businesses should put in place documented procedures for dealing with data subject access requests and make sure that employees are aware of the new legal rights and who to contact to escalate these requests.

Businesses should also put in place processes that enable data to be deleted or data processing to be restricted in certain circumstances. It might also be necessary to provide a copy of data back to individuals in an electronic format so that they can re-use it elsewhere.

Policies and procedures

The GDPR requires organisations to be able to demonstrate how they ensure compliance with the new law. Businesses must have documented policies and procedures in place that explain their obligations under the law and what steps they take to comply with this on an ongoing basis. Any existing policies and procedures must be reviewed and updated.

Data protection policies and procedures should be rolled out to all staff and should be readily available so that everybody can quickly and easily find out what they should be doing in their jobs with regards to personal data.

Data breach management

If a serious data breach occurs, the business must notify the Information Commissioner within 72 hours of becoming aware of the breach. It is important therefore that all employees can recognise a breach and escalate it quickly. For example, a breach could mean sending an email to the wrong person with personal data attached, losing a physical file or a cyberattack.

It is also necessary to notify the individuals affected without undue delay. A log of all breaches must be maintained, regardless of whether any notification had to be made.

Privacy governance structure

Some organisations must appoint a data protection officer (DPO) if they are processing a large amount of sensitive data, criminal conviction data or carrying out monitoring activities as part of their core business. While pubs are unlikely to be caught by this requirement, they should designate somebody who has overall responsibility for data protection compliance within the business.

Impact assessments and privacy by design

Another new requirement is an obligation to ensure that privacy considerations are embedded into processes and procedures from the outset. For any high risk data project, a data protection impact assessment must be carried out and organisations must be able to show that they have embedded privacy as the default position. Businesses must train their staff to think about privacy first, and to document how privacy considerations have been accounted for with any significant data project. Where the processing is high risk because of the potential impact on individuals, then a full data protection impact assessment must be documented.


Underpinning all of these new requirements is an obligation for businesses to ensure that their employees know what to do when they are handling personal data. As such, making training easy to access and easy to understand is vital to ensuring compliance with the GDPR.

This article was first published by the British Institute of Innkeeping.