The General Data Protection Regulation (GDPR) came into force on the 25th May 2018, and it is fair to say that some SMEs are a little confused about what it means for them. What is certain is that they must be complied with. An EU regulation has to be complied with without exceptions.
Whilst it is arguable that a well-run company with proper data protection procedures will have little to worry about, all organisations will need to review their data protection procedures to make sure that they can demonstrate compliance.
The GDPR sets out specific obligations and requirements for data controllers and data processors, and you will need to have processes in place to cover these obligations.
Additionally, you can no longer assume that sensitive personal data of any type can be held without the knowledge and specific approval of the relevant individual, and therefore explicit consent may need to be obtained. Additionally, everyone now has the “Right to Be Forgotten”, although you must also be aware that there may be a legal requirement to retain critical information to meet your compliance obligations.