The Gibraltar Regulatory Authority (GRA), as the Information Commissioner, has published the seventh guidance note on the European Union’s General Data Protection Regulation (GDPR) and Gibraltar’s Data Protection Act 2004 (DPA).

"Being a small business doesn’t mean that you fall outside of the scope of the GDPR and the DPA. All companies, regardless of their size, have data protection obligations. However, the law is flexible and the standards that organisations implement should be proportionate to their data processing."

This guidance note is aimed at helping small to medium sized enterprises (SMEs) ensure GDPR-compliance and features a series of tools (i.e. ‘Personal Data Inventory Tool’, a ‘Readiness Assessment Checklist’, and a ‘Data Protection Policy Guide’) which have been designed to assist SMEs in particular, who may not have access to extensive planning and legal resources.

The guidance note is available on the data protection section of the GRA’s website - http://www.gra.gi/data-protection/general-data-protection-regulation

"Using this guide, along with our first GDPR Guidance Note namely “Getting Started” (IR03/16) will help SMEs implement data-protection compliant arrangements.

The GRA is the nominated authority responsible for the enforcement of data protection law in Gibraltar and carries out the functions assigned to it to uphold the rights of individuals and their privacy. As part of his efforts to promote data protection compliance and good practice, the Information Commissioner issues guidance notes aimed at helping organisations improve their data protection practices and comply with the law."