The GDPR enforcement deadline is rapidly approaching, and with it, businesses all over the EU, the UK included, will need to ensure that they are meeting all of its requirements. This regulation aims to unify laws pertaining to data protection all over the EU. This will include things like consent for data collection, the right to erasure, and incident reporting. Failure to adhere to these new rules can mean very significant fines, in addition to reputational damage, which means that it’s very important that the regulations are followed. With this in mind, lots of businesses are taking steps to ensure that they are in good shape ahead of the deadline.
We’ve put together a quick checklist to aid small businesses in understanding the main components of GDPR and how they can prepare for them.
This isn’t part of GDPR, but it is critical before it comes into force, and before you begin preparations. It is essential that you have a full understanding of what data the business currently holds, and whether or not it will adhere to GDPR when it comes into force.
The next step is to establish who the key people in the business are, and what they are responsible for. Who will be responsible for implementing the GDPR policy? Who is required to follow those policies as part of their job? In some cases, you may need a designated Data Protection Officer. As part of this accountability requirement, you will also need to make sure that everyone in the business is aware of what they need to do, which leads us on to the next point.
Once you’ve identified the responsible people in your business, you also need to make sure that all relevant employees have some form of GDPR training. Depending on the type of business, this might mean all people who come into contact with individuals’ data need training. Fortunately, Virtual College offers a free overview course to help people gain a basic understanding - click here to read more about our Introduction to GDPR course. Remember that people need to be trained on both GDPR, and your own processes in response to GDPR.
This is one of the biggest elements of GDPR. You must now have what is known as a lawful basis for collecting and processing an individual’s data. The full details of what constitutes lawful basis can be found in official EU guidance, but they include things like it being a necessity to comply with other laws, it being a necessity to carry out the service requested by the individual, or that you have their explicit consent. As a result, you will now need to consider whether you have a legal basis for collecting the information that you currently do, and establish this in a policy going forwards.
A major part of lawful processing is consent, which means that it is absolutely critical that you have a new policy in place for both gaining consent from individuals, and storing this consent for the future. It is likely that the majority of GDPR fines will be directed at businesses that fail to gain consent for their information processing activities.
It is also important to note that children are mentioned in GDPR. They cannot legally give consent to having their data collected or processed, which means that you must receive consent from their parent or guardian.
All individuals will now have the right to request all of the data that is held about them. It is currently quite rare for organisations to have a process in place when such a request comes in, so you should take some time to decide how this will work. GDPR guidelines insist that a response happens within a month of request.
There are a variety of other rights under GDPR that individuals will now have. They can request for data to be erased, they can request that incorrect data is changed, and they can even request that it is removed entirely (read our article on the right to erasure here). You need to fully understand these, and put plans in place to be able to deal with such rights when individuals decide to exercise them.
The final consideration you must make relates to cyber security. As data breaches can now have severe and wide-ranging impacts, the EU has decided that there must be processes in place for reporting them. You will need to have a policy for reporting them to the relevant authorities, which is likely to be the ICO, and you should also consider how you will notify the affected individuals. For more information on cyber security policies, consider taking our ‘Introduction to Cyber Security’ course, which can be found here.