The Information Commissioner's Office (ICO) issued over Β£7 million in fines to UK businesses in 2024, with SMEs increasingly in scope. GDPR compliance is not just a large company problem.
Here is what Hertfordshire businesses need to have in place.
The GDPR basics every SME must cover
Data register (Record of Processing Activities)
You must document what personal data you collect, why you collect it, where you store it, who can access it, and how long you keep it. This does not need to be complex β a spreadsheet is sufficient to start.
Privacy policy
Your website must have a GDPR-compliant privacy policy that explains how you process visitor and customer data. Outdated or generic policies from 2018 are no longer sufficient.
Data processing agreements with suppliers
If you share customer data with suppliers (your CRM, email marketing platform, accountant, etc.), you must have Data Processing Agreements (DPAs) in place. Most reputable suppliers provide these automatically β you just need to sign them.
Subject access request process
Any individual can ask you what data you hold about them. You must be able to respond within 30 days. Having a clear internal process prevents panicked scrambling when a request arrives.
Breach notification procedure
If personal data is lost, stolen, or accidentally disclosed, you may need to notify the ICO within 72 hours. You must have a documented procedure for identifying and reporting breaches.
Consent records for marketing
If you send marketing emails, you must be able to prove that recipients consented. Bought lists and unclear consent from years ago create significant risk.
The most common ICO investigation triggers
Most SME investigations are triggered by: a data breach you reported, a complaint from a customer or former employee, or a routine audit of your sector.
The best protection is a documented, consistent approach to data protection β not perfection.
We offer GDPR compliance assessments for Hertfordshire businesses. Contact us for a free initial review.