If you’ve read our guide to what GDPR means for small businesses, you’ll already know a bit about how the rules around data protection changed on the 25th May 2018.
While a lot of the rules have stayed the same as the Data Protection Act the GDPR replaced, there are new developments under the GDPR that you must be prepared for.
Make sure you’re taking the right steps to being ready and compliant by considering the tasks below:
1. Data mapping
Conduct an audit/assessment of the personal data you currently hold and document this, identifying:
- The personal data you currently hold and how it’s stored
- How you obtained personal data
- The purposes for which the personal data is used
- The lawful basis for using the personal data
- Who that personal data is shared with (if anyone)
An audit/assessment will help you to establish what steps need to be taken in order to comply with GDPR and to help prioritise any key areas. It may also help to demonstrate compliance with the new accountability requirement under the GDPR (that is you must show how you comply with the GDPR).
2. Data minimisation
One you’ve completed your data mapping, you should be able to assess the amount of personal data that you collect and process. Under GDPR, personal data should be limited to what is necessary for the purpose(s) for what that personal data was obtained and shouldn’t be kept for longer than necessary. Such assessment should allow you to conduct a data minimisation or data cleansing exercise to ensure you only hold personal data in line with the GDPR. Any data that you do delete should be done so securely.
3. Review of procedures and policies
A review of your internal procedures and policies to ensure that they’re GDPR compliant may also help you to demonstrate compliance with the new accountability requirement. Such reviews should include:
- Internal data protection policies, including staff training on GDPR to make them aware of the business’ and their own obligations under GDPR
- Implementing measures that meet principles of data protection by design (an approach that promotes privacy and data protection compliance from the start) and data protection by default (including data minimisation, transparency, creating and improving security features and having data protection at the heart of new products and new processing and is not just an add on).
Where your organisation has more than 250 employees, you’re required to maintain internal records of your processing activities. If you have fewer than 250 employees, you’re required to maintain records relating to higher risk processing activities. However, this would be a good exercise and record to have in place whatever your size. The record must include:
- Details of your organisation (and other data controllers, if relevant)
- Purposes of the use of personal data
- Description of categories of individuals and categories of personal data
- Categories of recipients of personal data
- Details of transfers to third countries and details of safeguarding measures
- Retention schedules
- Description of technical and organisational security measures for the personal data
Want to access this guide?
Already have a Farillio account? SIGN IN
Get unlimited access to 100s of legal resources by signing up to Farillio today.
- Manage your legal documents online
- Well written legal templates by our partners
- Guides to help you understand law
- Legal help available every step of the way