Share this content

GDPR compliance guidance for small practices

Can anyone recommend any resources / client has asked for confirmation

Didn't find your answer?

Can anyone recommend any specific resources/templates I could use to get GDPR compliant?

Also, a software client has asked for confirmation from me that my my practice will be compliant from May-18 onwards, which is apparently a necessity in their own GDPR compliance audit.

Are other small practitioners getting in specialists to do this, or effectively 'self certing' ? It would be my preference to deal and monitor it in-house.


(Sorry for my ignorance - prioritising 31 Jan at the mo :) )


Replies (4)

Please login or register to join the discussion.

Mark Lee 2017
By Mark Lee
07th Dec 2017 19:30

I am hearing this question more and more often - and not just during my talks on the subject for an ICAEW practice roadshow.

You ask 3 questions:
1 - There are no guides for small practitioners yet - partly because we await guidance from the Information Commissioner as regards how they will interpret and apply the rules.

I use the analogy of financial reporting standards pre the introduction of FRS 105. Previously FRS, like GDPR, were written for the big boys but they have to be applied by everyone. There is no equivalent to FRS 105 in GDPR hence the need for guidance which MAY help reduce some of the concerns as regards the impact on small and micro businesses.

In the meantime ICAEW publishes generic guidance and an essential guide that summarises key issues (for all businesses) at

Anyone promising you they have a guide for small practices is taken a big punt as to the content of the official generic guidance which was due out last month - but is still awaited. Maybe it's being held back so that it can be dressed up as a Christmas pressie?

2 To be GDPR compliant the law requires that we will all need to obtain confirmation that those with whom we share personal data are themselves GDPR compliant.

Whether we will need to ask each organisation (as your software client is doing) or if the main users of data will pro-actively confirm their compliance is not yet clear.

Just think about all those organisations to whom you have provided access to the personal data of staff, ex-staff, clients, prospects, ex-clients etc. Your list could include your cloud accounting software provider, tax software provider, CRM provider, email campaign provider, evernote, dropbox, google, amazon and so on.

3 - I tend to work exclusively with sole practitioners and I will be providing advice to those I know on this topic (in due course) in my normal style, without the hype or hysterical dire warnings of 3rd party 'experts'. Until now it has been, "let's await the guidance".

I very much doubt you would secure much valuable benefit from paying a 3rd party to review your practice and advise you what to do on this topic. So yes, I am expecting to confirm that self-certification will suffice.

Mark Lee

Thanks (1)
By jimmyxyz
07th Dec 2017 19:36

Sorry, messed up a reply. Ignore!

Thanks (0)
By Matrix
08th Dec 2017 09:05

Does that mean that we will each have to obtain confirmation from HMRC that they are GDPR compliant since we share personal data with them?

Thanks (0)
Replying to Matrix:
By Mr_awol
08th Dec 2017 09:55

Matrix wrote:

Does that mean that we will each have to obtain confirmation from HMRC that they are GDPR compliant since we share personal data with them?

And will we believe their response?

Thanks (0)
Share this content

Related posts