GDPR Preparation For Small Organisations

5th April 2018 - Emma Kendal

With the 25th May 2018 deadline for GDPR fast approaching the reality of GDPR preparation for small organisations is starting to become clear. However, despite all the scary headlines, ensuring GDPR compliance isn’t that terrifying or difficult.

In this blog, we dispel many of the urban myths surrounding GDPR and outline what you might still need to do to make sure you’re being lawful come May 25th.

What is GDPR?

GDPR will soon replace the current Data Protection legislation and will affect any organisation who processes personal information about a living identifiable person. To clarify, personal data means that you could conceivably identify that person from that data. Examples include a photo featuring their face, their name along with another identifiable piece of data (such as a phone number), email addresses, etc. It doesn’t affect data about companies or organisations or anonymised data.

GDPR states that any personal data collected by an organisation should be collected and processed fairly and securely. What that fairly and securely means is defined in the new guidelines but around 75% of the current Data Protection law will still be in place when GDPR comes into play. Good news then because GDPR doesn’t mean changing all of your current practises to accommodate the new GDPR rules. Basic precautions like asking permission to send newsletters to individuals and not sending them to people who have unsubscribed should already be things you’re doing.

What has changed?

Man adjustig his watch whilst working in an office

The key important changes for most organisations are as follows.

Specifically, you have to say how you will use that data, how you will store that data and how long you will store it for.

For example, lots of us might have a database of people we email a newsletter to. And lots of us might add every customer that buys a ticket to our events to that database, unless they opt out. That’s not allowed anymore. To again consent, the customer has to opt in. So, no pre-ticked checkboxes and no assumed consent unless they opt out.

Oh and point 1 applies, so when gaining consent you need to say how you’ll use their data, where you’ll keep it and for how long.

This is probably the change that most people are concerned about but you don’t necessarily need to have consent to process someone’s data. We’ll explain further down.

Which we should be doing anyway, but now if you have a data breach you might have to explain why you’ve been keeping that attendance register from an event in 2004.

Key difference being easy, if somebody asked you to stop calling them you need to make sure you have a process so that the request is processed.

Who needs to know about GDPR?

GDPR will apply to anybody in your organisation that processes and stores personal data. That’s probably everyone. From the receptionist making a note of the name and contact details of someone wanting a meeting, to a freelancer taking a register of everyone attending an event to a HR person handling a sick note.

The crucial thing to note before panicking is that GDPR doesn’t prevent any of the above from happening. Despite what you might have heard, these are fairly sensible guidelines and odds are what you’re doing now to handle this kind of data is fine.

Decision makers and workers alike will need to be aware of this new legislation and how it affects the work they do. Internal and external staff, associates, freelancers and volunteers working with you will all need to be aware that changes may need to be made to their practice in regards to data protection.  It is often a good idea to prepare people ahead of changes so they are less likely to be surprised by them and it’s also important to communicate the reasons for doing so.  It is a lot easier for people to make changes if they understand the reasons behind them. It is highly unlikely that a small organisation will have existing resources to devote to allow for a new role to solely handle data protection issues. Many organisations will have to split these responsibilities between staff members or handle them in addition to their usual role. It may not seem ideal but the reality is many of us are in the same boat, and after the transition to GDPR has been completed the workload should diminish substantially

What should you do to prepare?

The first step in moving forward with GDPR is to be fully aware of the types of information your organisation gathers and processes – or an ‘Information Audit’ to use its more official term.

Look at the types of information you hold, how it is collected and where it is stored.  Organisations will inevitably hold personal data in some form such as; HR and staff records, details of customers or service users, contracts with individuals.  It is a good idea to look at each type of information on its own instead of as a whole as some may need to be dealt with in very different ways.

Look at the types of data your organisation holds

Look at where your organisation holds this information

Do you have a right for processing this information?

How do your current policies and procedures fit with any new GDPR requirements?

Who will be taking a lead on GDPR within your organisation?

Is your organisation a Data Controller, Data Processor or both?

Once you have looked into the above you should have a pretty good idea about the flows of personal information in and out of your organisation and be able to see if there is anything you need to alter to fit in with GDPR. We should all have procedures for how we collect and store information so it should be a case of amending the existing rather than reinventing the wheel.

In addition to your information audit there are a few other aspects you should look into.

What is your lawful basis for processing data? Processing covers aspects like; holding, amending, storing, sharing, transferring, and even destroying data. One of the following six reasons must apply for you to have a lawful basis for processing;

All data should be processed fairly and lawfully and you must decide which of the six reasons best fits as more than one may apply – you should always rely on what best fits the processing need and not what would be easiest.  You should detail your reasons for processing on your privacy policy.

Do you have a privacy statement? If so where is it and how can people access it?  It’s a good idea to think about the clarity of your statement and make sure that everything is outlined in a way that everyone can understand.  A privacy statement should include details about what information you collect and the reasons you have for collecting and processing this data.  Most organisations will need to amend their existing privacy document in some way to accommodate the new GDPR legislation.

Do you currently or are you planning on working with children? GDPR states that consent from a parent or guardian must be sought for children under 16, although in the UK this age limit may be reduced to 13.  You may need to think about how to verify the ages of individuals and implement a procedure for ensuring consent is given from someone who is allowed to do so for a child.  If you do work with children, the language used in your privacy statement should also be written in a way that can be understood by them.

Think about how you gather and record peoples consent for collecting and processing their data. Do you have a way for people to sign up for a newsletter?  You may need to make changes to the ways in which people can consent, as consent must be freely given, specific and easily withdrawn.  It is no longer possible to use pre-ticked boxes as people must positively opt in to give their consent.  The ICO offers further guidance on the topic of consent including a checklist to help you review how you collect and record the consent of individuals.

If after this you are still left with a hard GDPR lump in your throat, we would strongly suggest visiting the Information Commissioners Office website.  Not only do they have a wealth of information about GDPR and checklists, they also have an online chat facility and helpline where they are able to answer questions and offer advice directly.  This allows you to speak with people to ask about GDPR in the context of your own organisation instead of trying to translate the existing publications into something suitable for smaller organisations. Help is available so don’t feel like you are on your own.  Many organisations are in the same position especially smaller organisations so this is something we are all working towards.

The prospect of GDPR can be scary, especially for smaller organisations who may not feel they have the resources available to devote to work on Data Protection. Hopefully, this information helps you to be able to draw up a plan of your next steps ahead of the 25th May deadline.  More than anything, try and see this as an opportunity for your organisation to streamline your current policies and procedures to ensure personal information about the people they work with is kept safe and secure.

If you work for a small arts organisation and would like more bespoke advice relating to preparing for GDPR, please get in touch at

Related Articles

13th February 2019

IVE launches new workshop: How to Build a Creative Business

IVE launches new workshop: How to Build a Creative Business, at one of our key venues in Leeds. IVE is building a creative nation,…

Read More
4th January 2019

2018 was a Fantastic Year for IVE

After re-branding in 2017 with the help of brand agency Narrative Communications, 2018 has been the year that we really got stuck into the…

Read More
17th December 2018

What Does Quality Need? More Time To Think.

As we come to the end of 2018, I’ve been ruminating on the joys of spending another year focusing on quality through IVE’s Getting…

Read More
Sign up to our newsletter