GDPR – It won’t happen to us

With deadline day nearly upon us on the 25th May, we still hear many small firms telling us that they haven’t heard about the new regulations or that they do not think it will affect them as they are too small to be on the Information Commissioner’s Office (ICO)’s radar. This sentiment is supported by a recent survey (Feb' 18) from the Federation of Small Businesses who found that a third of sole traders and micro-businesses have not yet started preparations for GDPR, while 18% of those small businesses surveyed haven’t heard of the regulation at all.

While the ICO may not be knocking on small businesses' doors from the 25th May, one thing is for sure, and that is that the knowledge of the consumer is increasing all of the time and this is where small firms may become stuck.

For the last 12-18 months, the ICO has been focusing all of their efforts on raising awareness for companies about GDPR and what is needed to implement the changes that are coming. A Freedom of Information Act from Insurance Age highlights that the ICO has increased their employee numbers by 21% in the last two years and one would think in readiness for the amount of work coming their way.

But, what we haven’t seen yet is the ICO’s attention turning to educating the consumer. Once the 25th May has passed, then there is every chance that the ICO will turn their focus on to informing the general public about the changes. This is where small businesses may start finding themselves in trouble; not necessarily from fines, but from their customers finally getting more 'savvy' about their own data, privacy and the regulation itself. The recent press coverage around Facebook data and Cambridge Analytica has brought data and privacy to the forefront of the public’s attention, and more and more people understand the value of their data and the risks involved in not understanding where that data is kept and how it is used.

If the ICO is not going to hurt your business in the short term, then please consider the impact of your customers on your bottom line. If your business has a data breach or begins to receive SARs, and you or your employees don’t know how to deal with them, then not only will you find yourself being tied up in knots trying to work it all out, but you could also begin to lose customers and potential customers who may rightly or wrongly believe that their data might be better placed with someone else.

Can you and your employees answer these two questions?

  1. What is our process should we receive a SAR from a customer?
  2. What is our process in the event of a data breach?

If not, then you do have some work to do. RWA has a free* GDPR online learning pathway that is available to all businesses. For more information, please email

*Free = free trial period. There is no commitment to continue with the service once the trial has expired and there is no limit on the number of employees who can access the trial.




Insurance Age


About the author

Tom has worked at RWA for over 12 years, starting as Operations Manager before taking on roles as Operations Director, CEO and most recently as Director leading the company into the digital age.

Before joining RWA, he was involved in helping develop the operations of one of Wales’ fastest growing utility consultancies as well as leading the Key Accounts team of a major commercial energy supplier.

Get RWA Insight In Your Inbox

Regular business news and commentary delivered direct to your inbox each week. Sign up here