Smaller companies take note – the U.K. Information Commissioner’s Office (ICO) and the Article 29 Working Party have highlighted that all companies must comply with the General Data Protection Regulation (GDPR) regardless of size, and recently issued special guidance for smaller businesses. The GDPR, a law that places new obligations on organizations that collect and process data about European residents, comes into effect May 25, 2018.

In a recently published set of FAQs, the ICO addresses key issues raised by the GDPR in the context of small businesses, including criteria for imposition of monetary sanctions; security; determining whether your organization is a processor or controller under the terms of the GDPR; rules for data subject access requests; and when consent to process data is required. Importantly, the FAQs also provide a link to a dedicated advice line for small organizations.

The FAQs are but one of many resources the ICO is issuing in anticipation of the GDPR’s May 25th compliance deadline. The FAQs link to documents, checklists and statements of advice from the Commissioner and her staff for businesses of all sizes. These materials can help companies determine whether the GDPR applies to them, what the regulation requires, where gaps or deficiencies may exist in their internal systems, and what steps they need to take to address them.

The European Commission’s Article 29 Working Party, an advisory body made up of a representative from the data protection authority of each EU Member State, the European Data Protection Supervisor and the European Commission, has also weighed in with guidance for businesses, some of it directed specifically to SMEs. The guidance ranges from the most basic questions -“What does the GDPR govern?”  “What is personal data?”  “What constitutes data processing?” – to issues related to privacy-by-design and determining whether your organization needs to appoint a data protection officer.

The guidance issued by these two bodies emphasize that GDPR compliance is the responsibility of companies of all sizes that collect and process data about European residents. In these last days before the compliance deadline, small and medium-sized companies that do business in the EU are well advised to review the extensive guidance offered by these authorities.


Achieved Compliance – helping you navigate the complex world of data compliance.

Through its software guided review and remediation process, education tools and representation services, Achieved Compliance makes it possible for companies to take all the steps needed for meaningful compliance that meets regulators’ expectations.

For more information as to how we can help your organization be GDPR compliant please contact