Is getting ready to comply with the GDPR at the top of your to-do list? With the implementation date just around the corner, it is time to consider how your business will be impacted and what you need to do to be ready. We’ve compiled a checklist that small businesses can use to plan their course of action.
Understand Personal Data Within your Business
Before anything else, you must be able to understand types of personal data your business is handling (i.e. name, email, address, bank details, etc) and what can be considered as sensitive data (i.e. health information, religious views, etc). You also should know where the data comes from, where it is stored and how it is used.
Develop a Consent Policy
Do you require consent to process personal data? Under the GDPR, consent needs to be explicit, clear and specific, which can make some activities (such as marketing) more difficult. Understand where you need to acquire consent.
Make your Security Policies GDPR-compliant
Spend some time reviewing and updating your security measures and policies – if you don’t have any, get some in place. Using encryption is generally recommended and can avoid your business hefty fines in the event of a data breach.
Prepare for Access Requests
Under the GDPR, all citizens will have the right to access their personal data, rectify inaccurate data, object to their data being processed or even completely erase any of their personal data you hold. You will need to be able to process such requests within the required timeframe.
Create Fair Processing Notices
Under the GDPR, you will be required to use fair processing notices to clearly describe to individuals what you are doing with their personal data. You should include why you are holding the data, who you may be sending the data to (i.e. employee, customer, supplier, etc) and how long you’ll be holding the data for.
Train Your Employees
Everybody in the business should understand what constitutes a personal data breach and how to pick up the signals. All employees should be made aware of the need to report any mistakes or breach to the person responsible for data protection (i.e. the DPO) within 72 hours.
Conduct Due-Diligence on your Supply Chain
To avoid being impacted by any data breaches (and consequent penalties), make sure that all suppliers and contractors are GDPR-compliant. You’ll also need to make sure that you have the right supplier and contractor contract terms in place.
Do you Need to Employ a Data Protection Officer (DPO)?
Unless your business is processing large volumes of personal data, your small business may not need to employ a full-time DPO. However, it is recommended to appoint someone responsible for data protection within the business. Or use a virtual or outsourced option.
Even if you do not hire a full-time DPO, getting all processes and documents in place to be GDPR-compliant can be a lot to take in for small business owners. We can help you assess areas of risks and get prepared to comply with the GDPR. Don’t hesitate to get in touch if this is something you’d like to discuss!