Three things small businesses get wrong about GDPR

Hannah Tankard, Programme Manager - Response and Recovery, BERG, in collaboration with Wendy Lamin, Product Manager, Trustify, outline three misconceptions that small businesses commonly have about the General Data Protection Regulation (GDPR).

Business in the Community (BITC) is raising awareness around the need for small businesses to implement better cyber security. This includes protecting your business’ critical data, in particular the sensitive information belonging to your customers, employees and suppliers. Although protecting privacy should always have been a business’ priority, it came to the fore in May 2018 with the introduction of the GDPR.

BITC’s recent Would you be ready for a cyber attack? report showed that in the 12 months preceding November 2018 the most common reason (44%) for small businesses implementing any form of cyber security measures was the introduction of GDPR.

Here are three common misconceptions that all small businesses should be aware of

1.  GDPR doesn’t help with consumer rights.

Hiscox found that one in ten SMEs (small and medium-size enterprises) did not think GDPR gives consumers any new rights and nine in ten did not know the main new rights. 96% of small business owners also do not know the maximum fine for breaching GDPR1. It is important to be aware that everyone has a right to have their personal data secured. Customers, employees and suppliers entrust businesses with confidential information and it is the businesses responsibility to safeguard that it is not leaked online. GDPR ensures compliance with this.

2. I don’t need to worry about GDPR fines, there haven’t been any.

While 2018 was the year of GDPR implementation, 2019 will be the year of enforcement. Indeed, in the UK, already 8,000 GDPR data breach reports have been filed since GDPR came into effect; whistle-blower reports on company data breaches almost tripled. That being said, “the ICO [Information Commissioner’s Office] largely takes a collaborative approach to enforcement. They will look to engage with companies rather than issue them with punishments straight away. Companies who have shown awareness and taken steps to comply with GDPR are likely to be treated better than those who haven't done any work around it.”2

3. Surely GDPR will not apply after 29th March 2019?

The potential post-Brexit situation is complex so just remember that GDPR-style privacy protection rules are here to stay. Read the ICO’s blog on Brexit for more detailed information.  


If you demonstrate that you are being GDPR compliant, you could be seen to be trustworthy and may have a competitive advantage over your peers when it comes to business tenders and winning new consumers. Plus, you could save yourself non-GDPR compliance fines, a minimum of €10 million or 2% annual turnover. A responsible business is a resilient business and GDPR compliance is a great way to demonstrate this. What’s more, the steps you take to be compliant with GDPR should mean overall greater cyber security for your business. It is a win-win all round.

1. Available at
2. Source: Wired. Available at