GDPR Compliance For Small Business - A 28 step checklist



INTRODUCTION TO GDPR

The aim of this article is to help small businesses, and your industry, to understand GDPR.

There will be significant changes to the way we behave and do business.

By the 25th May 2018 you’re supposed to be compliant. People are asking if there’s some grace period. The information commissioner's office (ICO) have said, "There will be no grace period" because the EU said, “you’ve all had long enough”.

Much of this is a refined version of the 1988 act, and 1986 data protection laws we had in the UK.

What’s different is people didn’t really know about it (despite breaches by Equifax and Talk Talk and their fines). But people have thought ‘ this doesn’t really affect me’.

The EU are building on existing legislation primarily because of the digital world we live in and the risks to individuals, given the data they’re holding on you. 

They want to minimise the chance of data being unfairly disclosed.

Note: If you are holding and processing data, information on any living identifiable human being, you are what's now called a “Data Controller”.

Holding information on other corporations is not affected in the same way by GDPR and can be disregarded somewhat for the time being. It is mostly about individuals' personal data. 


GDPR and brexit (Attention, please)

Since much of this is a refined version of the 1988 act, and 1986 data protection laws we had in the UK, in practical terms GDPR will still apply post brexit. Furthermore, the EU’s position is that if you’re processing data, even if you’re marketing to individuals in the EU, you’ll need to comply with EU's GDPR.


Do you need a data protection officer?

Every business is encouraged to have a data protection person who is in charge and will take responsibility for making sure the right systems are in place, deciding if something should be reported, and ultimately reporting it.


Here is our 28 step action plan to get prepared for GDPR (The EU General Data Protection Regulation).

  1. Create a data protection compliance folder on your company file system. This will form the basis of your proof of compliance.
    Every step you take towards GDPR compliance should be documented to be used in your defence if necessary.

  2. Keep notes of internal meetings on GDPR, and decisions made on GDPR
  3. Name a data protection officer
  4. Map your data, i.e. establish what data your business collects and where (fill in this questionnaire for a quick way forwards here)
  5. Separate the data into categories
  6. Identify the lawful basis for processing each category of data
  7. Refresh consent where necessary (and consult with 3rd party data processors like Mailchimp to ensure they have established compliance too!) - BE CAREFUL as how you do this could be breaking the law (i.e. Honda & Flybe fell foul of the law here)
  8. Implement a policy to identify and handle any data subject access requests
  9. Implement a policy to identify and handle any data erasure or corrections requests
  10. Create a document of non-compliance issues to show awareness of compliance omissions and to plan towards total compliance or at least thorough risk mitigation. 
  11. Create a password policy for all users (staff, website etc)
  12. Contact your entire database (marketing or otherwise) before the 25th May 2018 (NOT AFTER) to ask them to opt in to the various types of communication you plan on sending.
    The simple test here is: Would someone expect to receive an email about X from you?
    A member of a swimming pool would expect to receive updates on opening time (so that's still fine), but do not send them information about new swimsuits in your shop unless they've explicitly said they want that, as an example.
  13. Keep a record of consents for those who have already opted-in, and those who are still to do so.
  14. Create a retention schedule for data. When the data has reached the end of its retention period destroy it in accordance with a data destruction policy (minimise the data you hold)
  15. Train your staff so they ALL understand what constitutes personal data (bonus points for practicing case scenarios with your team and for putting together an Staff GDPR Awareness Status Report to note down who has participated in which training) 
  16. Train your staff to identify a breach (plus how to avoid email scams)
  17. Have a breach response policy
  18. Create a data breach log to record events such as "Stacey emailed the client list to Tim Smith in the finance team not Tom Smith in the sales team".
  19. Ensure your website is HTTPS (security by design)
  20. Ensure your office computers are encrypted (security by design) - Go to Settings > Security & Privacy > FileVault on a Mac to do this.
  21. Review and document the physical security of data (USB disks, paper filing systems behind lock and key etc)
  22. Securely lock away any personal data
  23. Create an asset register of the serial numbers of all your computers regardless of contents - you may need to prove to the ICO that a stolen computer could not have had any personal data on it
  24. Consider which individuals should have access to the data on each device
  25. Update your website's privacy policy (to include identity of the controller purpose of the processing and the legal basis, the legitimate interest, any recipient or categories of recipients of the personal data, the right to withdraw consent at any time, and the data retention period)
  26. You may also want to get specific and mention which cookies are on your website, and give users the option to opt-out. This is HUGE, as it means you'll need to gain opt-in consent before providing a user with a Google Analytics tracking script. You can view the ICO's cookie policy, and you may want to use the Cookie Control tool by Civic UK which we are using on our website too.
  27. Have an extra pair of eyes look through what you’ve done, both technical and legal, in case there are some simple further steps which you need to take before you’re fully compliant. Our legal partners are LexSolutions.
  28. If you process data within the UK - consider registering with the ICO (Starting at a £55 annual fee + £20 if you're in the direct marketing industry)


Download our simple GDPR Compliance Checklist PDF here.  

We also made a Google Doc version of our GDPR Checklist here.


by Alex Denne in 3B Digital blog , May 2018


We invite (and recommend) you to read the complete article at:

Brought to you by www.sierra-editing.com , at your service. February 19 2019