SME survival guide: Would my business pass a GDPR inspection?

Managing Director

Fav thing about the office

Good banter

As a child I wanted to be a ... when I grew up


Guilty Pleasure(s)

Strictly come dancing

Favourite Holiday


If I had a superpower it would be...

Mind Reading

Describe yourself in three words or less

Methodical, Energetic, Reliable

An interesting fact about me

Started “Work” life as an opera singer


Horse riding, fillet steak and a good curry

Favourite Band

…into Classical Music

Karaoke Jam

Desperado- The Eagles

What I do at Q2Q:

My role is to provide the overall direction and “eye on the compass” as to where we, as a team, are heading.

I’m still very much focused on the customer and will often get involved in customer solution discussions. As a techie at heart, I’m regularly seeking to understand industry developments and directional changes that may affect our customers, so we and our customers can remain on the front foot.

Background and Achievements

I started out in an I.T technical department of what was then British Rail, following which I joined a large construction company to re-organise their I.T infrastructure.

I then spent a couple of years as a business systems analyst at P&O Nedlloyd designing, developing and implementing systems within their Bulk and Tank Carrier companies.

In 1999 I was appointed as I.T Manager of SockShop and subsequently as of Head of I.T. at the Tulchan Group, comprising then of 300 stores. Due to a Year 2000 compliance issue, we were required to seek an alternative system, which we were able to more cost effectively write ourselves. This product subsequently became known as RAWHIDE and we later sold this product into a number of other businesses. At the time it was quite cutting edge as all the warehouse function was undertaken using handheld, wireless scanners, rather than the batch scanners that were dominant at the time.

In 2003 The Tulchan Group was acquired by Harris Watson. We were then asked to take responsibility for the I.T. of Viyella Ladies wear and in 2004 the demands of two MD’s and two FD’s (Tulchan Group + Viyella), resulted in the sensible decision to break out of the group and Q2Q was born. This then enabled us to also get involved with a number of other group companies (Harris Watson owned companies) as well as other non-group parties.  At one stage we were managing the I.T for almost 500 stores across a number of businesses.

Today Q2Q retains some of the group customers that we acquired along the way, as well as a substantial number of new and diverse customers in almost all industries including accounting, business development organisations, legal marketing, medical, retail and wholesale.

Hobbies and Interests

Horse riding, running (Jogging), motorbikes, reading any of the Detective Rebus stories.

It’s almost been a year since the implementation of GDPR, but the legislation’s importance hasn’t depreciated at all. In fact, ongoing compliance is more significant than ever – especially given the recent political turbulence surrounding Brexit negotiations.

Yet, despite the new data protection guidelines having been introduced last year, it’s been reported that 38% of firms haven’t even heard of GDPR. So, it came as no surprise at this month’s Data Protection Practitioners’ Conference when the UK’s information commissioner, Elizabeth Denham, announced UK businesses are coming in below par when it comes to GDPR accountability.

At the event, Elizabeth revealed: “the next phase of GDPR requires a refocus on comprehensive data protection – embedding sound data governance in all business processes.”

And, this is the inspiration behind our latest blog. We want to help companies identify whether or not they would pass an official ICO audit with ‘high assurance’, as well as flag the questions they need to ask themselves, when it comes to the storage and processing of personal data.

How does the audit process work?

To better gauge where your SME stands on the GDPR-best-practice scale, you can put in an inspection request – lasting two to three days – to the ICO. This investigation can cover a plethora of areas – spanning data collection, staff training, Freedom of Information rights and overall compliance.

In essence, the intention of a review is to ascertain whether your company has implemented processes and policies which regulate and protect the personal data you handle – and, of course, whether said measures are both adequate and adhere to the EU’s regulatory framework.

What are the benefits for SMEs?

As well the peace of mind that comes with knowing exactly where you stand with GDPR compliance, an audit also helps to raise general awareness of data and cyber-security. Additionally, it’s an opportunity to have any potential weak areas highlighted, and receive practical advice and recommendations on how to remedy them.

Once the assessment has been carried out, your SME will be issued with a report – rating each area of the audit against the assurance scale – that provides you with a clear indication of where your organisation ranks green, amber or red, against the assessor’s checklist.

Ok, so would my company pass an inspection?

As mentioned above, there are many things to cover during a data check-up – nine, in fact – so, unfortunately, a quick “yes” or “no” answer is not an option. But, knowing the different sections under review can help you see whether you measure up. The nine units include:

Governance and accountability – covering areas such as policies and procedures, measures and KPIs, and risk registers

Training and awareness – encompassing role-based learning, refresher courses and overall staff awareness

Records management – comprising data collection, retention and disposal, plus maintenance of records

Security of personal data – including organisational structure, data access control, physical security, incident management and compliance

Subject access and data portability – exploring Subject Access Request logs, monitoring and exemptions

Data sharing – looking at ownership and authorisation of data and information sharing protocols

Information risk assessment and management – targeting initiate protocols, consultation processes and reporting

Direct marketing – focusing on data consent, screening, opt-in/opt-out messaging, records management and overall marketing methods

Freedom of Information requests – concentrating on information logs, a review of complaints and partnership agreements.

In reality, this is just a flavour of the areas covered during a data review – with a more comprehensive list available in the ICO’s audit guide. And, while this at first may seem a little overwhelming, when it comes to the data-processing side of things, remember that GDPR can be examined by six core principles.

Therefore, you just need to ask yourself whether the information your SME collects and stores is:

Processed lawfully, fairly and transparently

Collected for a specific purpose

Limited to only relevant processing

Accurate and kept up to date

Retained for no longer than necessary

Protected with adequate security measures.

So, to answer the question as to whether your firm would pass an audit, this would completely depend on whether you a) answered “yes” to the aforementioned six principles and b) whether the policies you have in place are fully compliant against the audit criteria.

The only real way to be sure you’re on the right GDPR track is to request an audit or advisory visit – but, remember, you can also take a look at your firm’s current operations and conduct a self-assessment to assess compliance with data protection law.

Also, if you’re wondering what Brexit means for GDPR, we’re on-hand to offer some insight!

For more GDPR-related advice, feel free to contact our friendly team of IT experts. 


Would my business pass a GDPR inspection Would my business pass a GDPR inspection