OUR 15 POINT GDPR CHECK LIST FOR SMALL BUSINESSES
Whether you are a client of ROI Designs or not, as a small business, you probably already fulfil many of the requirements of the forthcoming General Data Protection Regulation (GDPR). It is most important that you cover your ar*e (CYA) as sticking your head in the sand and hoping that it will go away will not do you any good when you get fined.
The GDPR will replace the current Data Protection Act on the 25th May 2018 and the implementation of the new rules will not be affected by the UK leaving the EU though some silly bureaucrats will probably spend a load of tax payers money renaming it.
We’ve created a 15 point checklist detailing the main principles and steps that your company should be considering in the lead-up to the introduction of GDPR. It is only a guide and if in doubt we suggest that you contact an expert in the field.
GDPR is likely to apply to your business if you process personal data or special categories of personal data, as a data controller or a data processor.
Do an internal audit to determine what data you have – this includes how it comes into your business, how you process it, and also where the data is sent.
Train and inform your employees on impact of GDPR and how it will affect the running of your business.
Make yourselves aware with the 8 rights that individuals have under the GDPR and ensure that your policies and procedures can deliver these rights.
Ensure that all your data security, handling and processing arrangements are set out in policies or procedures and make sure that they are regularly reviewed and updated.
Make sure you complete a data protection impact assessment. This will help you determine how you can comply with your obligations under the GDPR, particularly applicable with large scale or high risk data processing.
It is important to ensure that your systems store personal data properly and securely.
Ensure that data is securely deleted and unnecessary data is removed to minimise the risk of data corruption or loss.
REQUESTS FOR INFO
Make sure you have prepared a plan/policy for handling subject access requests or requests for additional information under the GDPR and make sure your team is aware of it.
If there is a breach of security, prepare a security framework and an emergency plan which outlines clearly how personal data is to be handled or secured and what employees should do.
Update and review your privacy policies for your customers, suppliers and third party data processors.
In preparation for GDPR, review your data consent processes. Consent under GDPR must be: freely given, specific, informed and unambiguous. People must make a positive opt-in and you must provide a simple way for people to withdraw their consent.
Do a Data Protection Impact Assessment on all new projects or where you are using new technologies where processing is likely to a result in a higher level of risk.
We recommend that you appoint someone to take charge of your data protection obligations this is however only a legal requirement for public authorities, where you process special categories of data on a large scale or where you do large scale monitoring.
3rd PARTY DATA
Make sure that you obtain documentation to show compliance with the GDPR if you buy data or buy a client data base from a third party.