Small Steps Create Big Shifts

Written By Kathy Horgan

5 starter steps for GDPR in small organisations

Many smaller organisations know they “should be” GDPR‑compliant, but do not know where to start. This short guide gives you five practical, plain‑English steps to begin strengthening your compliance and reducing risk.

1. Map the personal data you hold

Before fixing anything, you need to know what you have and where it is.

  • List the main activities where you handle personal data (e.g. student or client onboarding, payroll, marketing emails, CCTV, website contact forms).

  • For each, note what data you collect, why you collect it, who you share it with and how long you keep it.

  • Keep this in a simple table or spreadsheet – it becomes the backbone of your “record of processing activities”.

2. Check your legal bases and notices

Once you know your main activities, sense‑check whether you have a clear legal basis and clear information for people.

  • For each activity, identify the legal basis (e.g. contract, legal obligation, legitimate interests, consent).

  • Make sure your privacy notice (on your website or as a standalone document) explains in plain language what you do with personal data, who you share it with, and people’s rights.

  • Remove any unnecessary data collection questions on forms that you cannot justify.

3. Tidy up access and security

Basic security goes a long way in a small organisation.

  • Restrict access to personal data so that staff only see what they need for their role.

  • Use strong passwords, multifactor authentication where possible, and make sure devices are locked and encrypted.

  • Agree simple rules for sending personal data by email (e.g. double‑check addresses, use password‑protected attachments for sensitive information).

4. Set retention rules and delete old data

Keeping everything “just in case” increases risk and is hard to defend.

  • Decide, in broad terms, how long you need different types of records (e.g. client files, HR records, enquiries, CCTV).

  • Write this down as a short retention schedule and share it with relevant staff.

  • Start by deleting clearly unnecessary data – for example, old enquiries that never became clients, or duplicate copies of spreadsheets.

5. Prepare for incidents and questions

Even with good controls, things can still go wrong – and people may ask to see or delete their data.

  • Nominate a person (or small team) to act as the first point of contact for data protection issues.

  • Draft a simple “what we do if there’s a breach” checklist (who to tell, what to record, how to contain the issue).

  • Create basic procedures for responding to access or deletion requests within the legal time limits.

How to use this guide

You do not have to do everything at once. Pick one step, complete it to a reasonable standard, and then move to the next. Over time, these small, practical actions build a defensible GDPR framework that suits the size and reality of your organisation.

Kathy Horgan
Previous

How to Make GDPR Training Actually Land With Staff