Advice for small businesses to become compliant with GDPR
For many small businesses, especially sole-traders and Limited Liability Partnerships, it may only be necessary to produce and publish a clearly defined Data Protection Policy in order to be compliant.
However, merely declaring a policy will be deemed to be insufficient in the event of an investigation (which is only likely to happen following a data breach / compromise) unless there is hard evidence that adequate precautions were taken to implement the policy, including protecting all data that falls within the scope of GDPR – namely data that identifies a person either directly (full name, address, or photograph) or indirectly (IP address + Facebook handle and / or + characterisation of an individual).