According to the terms of the GDPR, a small business is one that employs less than 250 and is not expected to meet some of the more stringent stipulations of the legislation.
Small Business GDPR Checklist
There are a number of steps that are very important for small business owners to follow if they wish to avoid breaching GDPR.
- Study GDPR Requirements: Small business owners should study the General Data Protection Regulation and become familiar with the allowable processes to ensure that they are adhering with all GDPR requirements.
- Review Current Data Management: All small businesses must be identity of the person responsible for the management of the data, and be able to prove that appropriate consent has been obtained and assure themselves that the data is still being processed for a valid reason.
- Verify each process and procedure: Small businesses must be aware of what data they are holding it and how it is being stored. Processes and procedures should be listed so as to guarantee that they are GDPR compliant. Additionally, they must record, in detail, the processes and procedures used in order to be able to verify their compliance should authorities later ask them to do so.
- Record All Consent Processes: There is a legal obligation to prove that they have received the appropriate consent to process personal data, other than where certain legal exceptions apply. Consent must be obtained for all data processed. The data subject must be made aware of what they are giving their consent for. Their agreement has to be given by way of a positive act, i.e. it is no longer acceptable for any organisation to rely on pre-checked tick boxes as proof evidence of consent.
- List & Address Potentially Dangerous Data Processes: Some items of personal data which fall under the scope of Article 9 of the Regulation, are more under threat than others. Small businesses may also recognise that specific aspects of the data processing that they participate in could be dangerous. Each company will have to mitigate against such risks by drawing up comprehensive plans and procedures to respect. If it seems that mitigation of the risk cannot be achieved, a business should request the consent of the relevant Data Processing Authority (DPA) before processing the data.
- Creas a Data Breach Response Policy: A contingency plan must be created to deal with data breaches. This will allow a small business to report a data breack to the relevant authorities within the required maximum time limit of 72 hours.
- Train Staff: For a business to be compliant with the GDPR, it is crucial that staff are familiar with the legal requirements. It would be a smart step for every small business owner check that their staff are fully aware of the implications of the GDPR and what their individual responsibilities are.