GDPR Checklist for Small Businesses

GDPR Checklist for Small Businesses

Is getting ready to comply with the GDPR at the top of your to-do list? With the implementation date just around the corner, it is time to consider how your business will be impacted and what you need to do to be ready. We’ve compiled a checklist that small businesses can use to plan their course of action.

Understand Personal Data Within your Business

Before anything else, you must be able to understand types of personal data your business is handling (i.e. name, email, address, bank details, etc) and what can be considered as sensitive data (i.e. health information, religious views, etc). You also should know where the data comes from, where it is stored and how it is used.

Develop a Consent Policy

Do you require consent to process personal data? Under the GDPR, consent needs to be explicit, clear and specific, which can make some activities (such as marketing) more difficult. Understand where you need to acquire consent.

Make your Security Policies GDPR-compliant

Spend some time reviewing and updating your security measures and policies – if you don’t have any, get some in place. Using encryption is generally recommended and can avoid your business hefty fines in the event of a data breach.

Prepare for Access Requests

Under the GDPR, all citizens will have the right to access their personal data, rectify inaccurate data, object to their data being processed or even completely erase any of their personal data you hold. You will need to be able to process such requests within the required timeframe.

Create Fair Processing Notices

Under the GDPR, you will be required to use fair processing notices to clearly describe to individuals what you are doing with their personal data. You should include why you are holding the data, who you may be sending the data to (i.e. employee, customer, supplier, etc) and how long you’ll be holding the data for.

Train Your Employees

Everybody in the business should understand what constitutes a personal data breach and how to pick up the signals. All employees should be made aware of the need to report any mistakes or breach to the person responsible for data protection (i.e. the DPO) within 72 hours.

Conduct Due-Diligence on your Supply Chain

To avoid being impacted by any data breaches (and consequent penalties), make sure that all suppliers and contractors are GDPR-compliant. You’ll also need to make sure that you have the right supplier and contractor contract terms in place.

Do you Need to Employ a Data Protection Officer (DPO)?

Unless your business is processing large volumes of personal data, your small business may not need to employ a full-time DPO. However, it is recommended to appoint someone responsible for data protection within the business. Or use a virtual or outsourced option.

Even if you do not hire a full-time DPO, getting all processes and documents in place to be GDPR-compliant can be a lot to take in for small business owners. We can help you assess areas of risks and get prepared to comply with the GDPR. Don’t hesitate to get in touch if this is something you’d like to discuss!

3 things with regards to Document Management and GDPR

3 things with regards to Document Management and GDPR

A Document Management (DM) is about creating, storing and controlling documents, which has become increasingly important in light of the upcoming General Data Protection Regulations (GDPR). To comply with GDPR, you need to look at how documents and data are currently managed within your company. Here are 3 key areas of Document Management that reflect best practice in line with GDPR compliance.


In the case of a ransomware attack, how easily could the virus access your company’s data – including staff records or customer bank details? Using a Document Management (DM) means that all files are encrypted on entry and documents are held as images. Your data and documents are then in a much less vulnerable position and minimise risks in case of an attack. Encryption of data is an important aspect of being compliant with GDPR and reflects best practice.

Role Based Access Control

One of the key criteria of the GDPR is to ensure that information and data is locked down, not only protected from the outside world but also within the company itself. Do you really need your Marketing Manager to have access to a customer’s direct debit, or a temp to be able to email or print documents? Staff should only have access to the information they need to do their job. With DM, rules can be put in place so that information access can be restricted.

Retention Control

It is a business’ responsibility to not only ensure that paperwork is stored safely and securely, but also to make sure that it is stored for the appropriate period, in line with the current legislation. For example, financial documents must be stored for up to 7 years, but CV’s should be destroyed as soon a position has been filled – no need to store someone’s personal information at this point. Effective DM can help maintain best practice across the business by storing personal data correctly and flag any documents that have reached the correct time frame for deletion.

Darren Cairney, IT Manager of Document Data Group commented, “When you compare a windows file structure and associated permissions with a document management DM, you can see how a DM is the next step in securing your business-critical data. Windows is by default open until closed with most users unaware that their newly created ‘Shared Docs’ folder could allow all users with read/write access. DM can be set up to allow, ‘no user’ any rights until granted, you can restrict, what is searchable and even what can be seen on the document itself.

According to David Reilly, Data Protection Officer at Create Ts and Cs, “Personal Data and how it is managed has become an even more important business issue because of GDPR.  Treating personal data with respect and in-line with legislation is a decision a company takes in order to manage the business risk.  Deploying the right systems and the correct expertise will go a long way to helping your organisation manage personal data and comply with GDPR”.

Create Ts and Cs provide a bespoke set of Terms and Conditions for your business at a fixed price, this unique approach to individualising commercial Terms and Conditions allow Start up and SME sized businesses the opportunity to protect themselves, manage risk and guard against future unnecessary disputes at an affordable price. Download: terms & conditions | privacy policy