The General Data Protection Regulation (GDPR), which came into force in May 2018, introduced big changes in how UK businesses handle personal data.
The new regulations give individuals extensive rights over their data and introduce strict rules over how businesses acquire, store and use that data. A GDPR compliance checklist for small businesses is essential.
GDPR and small business – what you need to know
Although GDPR is an EU directive, the UK government has signalled that UK law will mirror the new regulations after the UK leaves the European Union in 2019.
The two key principles of GDPR are that businesses must have appropriate legal grounds for processing personal data and do so transparently, and a business can only collect personal information for a specific purpose and only use it solely for that purpose.
How does GDPR affect small business?
GDPR requirements apply to all businesses large and small, although some exceptions exist for SMEs. Companies with fewer than 250 employees are not required to keep records of their processing activities unless it’s a regular activity, concerns sensitive information or the data could threaten individuals’ rights.
As most businesses hold some form of personal information about customers – from email and postal address through to health and financial details – it’s essential that your business is GDPR compliant, no matter your company size. Serious breaches of GDPR regulations carry a steep fine of up to 4% of the turnover of your business or €20m – whichever is higher.
GDPR compliance checklist for small businesses
Your business must be GDPR compliant if you acquire, store or use personal information in any capacity. Follow our GDPR compliance checklist to ensure you comply with all your GDPR responsibilities.
1. Understand your GDPR responsibilities
GDPR introduces two new terms to describe the person, company or organisation who is collecting and processing data. Both controllers and processors must be compliant with GDPR and are central to any GDPR compliance checklist for small businesses.
Data controller – The person or business that determines how and why personal data is collected. The data controller must ensure the business is fully compliant with GDPR – including transparency, data storage, data confidentiality and accuracy of data collected and stored. They are also responsible for notifying the Information Commissioner’s Office (ICO) if a data breach occurs or data is stolen or lost by your business.
Data processor – The person or business responsible for processing personal data on behalf of a controller. This encompass anyone with access to personal information and who uses it in any way, such as creating and sending marketing emails. A processor must ensure data is processed in line with GDPR requirements and record processing activities. They must also ensure appropriate security when handling data.
2. Understand your data
Data comes in many forms. Auditing the data you keep on customers, clients and employees – both past and present – as well as personal information on suppliers is a vital step in creating a GDPR compliance checklist for small businesses. Data covers a wide range of information, including names and addresses, financial records and bank details, staff employment records and dates of birth.
Decide how much data you need. GDPR requires that you hold only the necessary data and only for as short a time as possible. Stockpiling data or holding databases with old customer data is likely to fall foul of GDPR.
Look out for what GDPR defines as ‘special categories of personal data’. This covers personal information such as political affiliation, religious beliefs, sexual orientation, trade union membership, racial and ethnic origin. This is data that could be misused to discriminate against an individual. You need explicit consent from an individual to store any special categories of personal data.
You should also audit how data comes into your business, including any consent that is obtained, and what processes it flows through. Look at who handles personal data and how accessible it is.
3. Review or define your data consent policy
To acquire and store personal information, you must first obtain clear and explicit consent that is freely given by the individual. This means you must clearly explain what personal information your business is collecting and how it will be used. The individual must actively agree to this. If not, you are not permitted to capture and store this data under any circumstances. This includes conditional data collection, where data is collected as a condition of using a service, such as offering an incentive to sign-up to a newsletter and then using that data for marketing.
To comply with GDPR, your business must be able to show that you have obtained consent for the data you hold. Not having a record of consent runs the risk of a fine. Nor can you rely on a lack of response or pre-ticked checkboxes as a sign of consent. Your business must also provide easy ways for the individual to opt out in the future.
4. Dispose of old data
Many businesses build up databases of customer information. GDPR requires that all existing customers are re-consented. This means you must recontact every single customer you held data on prior to May 25, 2018 and seek their permission for continuing to store and use their data. If they do not consent – and that includes simply not responding to your request – you must delete their data. GDPR stipulates that data can only be kept for as long as needed. When no longer in use, it must be deleted.
As part of any GDPR compliance checklist for small businesses, it’s a vital step to audit the data you hold and put in place policies that determine how long it can be stored. For example, a policy could determine that data belonging to a lapsed customer who has not engaged with your business for 12 months is deleted. Set up regular data reviews to ensure data is not kept longer than necessary.
5. Data storage and security
Review and assess how your business stores data. Personal data can be located in lots of places – from email inboxes, customer databases, mobile phones and increasingly third-party cloud-based services such as Dropbox and Microsoft Office 365. Unfortunately GDPR covers all data no matter where it is stored.
Create a data processing and storage policy. This should determine where customer data is secured, how it is protected such as encrypting the data and securing your website with SSL, and who has access to it. Data processors may need access to elements of data such as phone numbers or mailing addresses, so you’ll need to define the process of how that data is accessed and under what circumstances.
You should also create a plan for how data is transferred. Data is most vulnerable when it is moved, such as between departments or shared with third-party providers to deliver a customer service. Place limits on how data is taken out of the business, such as on laptops or USB memory sticks.
Put in place an emergency plan as part of your GDPR compliance checklist in the event of a data breach such as misplacing a laptop with customer details on it. Encrypting data can significantly reduce the fine your business would face if there was a data breach.
6. Appoint a Data Protection Officer
Large businesses will need to create a dedicated Data Protection Officer role and appoint someone to the post. Small businesses with less than 250 employees are exempt from this requirement unless they process special categories of data at volume or the primary purpose of the business is to conduct large-scale data processing.
Even if your business has just a handful of staff, it makes sense to nominate one person to be responsible for data. This means someone takes ownership of GDPR compliance and can ensure your business meets regulations.
7. Train staff on data handling
Ignorance is no excuse in the eyes of the law. Inadvertent data breaches – such as an employee losing a USB memory stick with customer data on it outside the office – could result in a heavy fine. Introduce company-wide training on GDPR and policies on handling data properly.
Teach staff to recognise a data breach. Any data breach must be reported to the ICO within 72 hours of it happening. The report must detail how the breach occurred, what is being done to contain it and the next steps the business plans.
8. Create a Subject Access Request plan
Any EU citizen can request access to all the data you hold about them in its entirety, known as a Subject Access Request (SAR). This can be anything from referring to them in email messages to customer records and electronic notes. They also have the right to correct any inaccurate data you hold and to request you delete data entirely.
Dealing with a SAR is time-consuming. Your business may need to trawl through hundreds of documents and data entries, compile data into a report, and correct any inaccuracies. A strict 30-day time limit applies for completing a SAR, so have a plan in place to handle requests from staff, suppliers and customers.
9. Ensure suppliers are GDPR compliant
Small businesses often rely on a network of contractors and suppliers. Even if your business is GDPR compliant, you must ensure suppliers and contractors are also GDPR compliant. Small businesses are exempt unless they’re working with a larger business that has more than 250 employees, in which case they can fall foul of GDPR if the larger business is not compliant.
The quickest way is to ask suppliers to complete a GDPR compliance form detailing how they handle data, security and storage procedures, and what type of data they handle. You can send them a GDPR compliance checklist for small businesses for them to complete. Ensure contracts specifically refer to a supplier or contractor being GDPR compliant. Include the right to audit their business if needed, such as making an on-site visit to review their data processing arrangements.
10. Create data processing notices
Data handling must be fair and transparent, so you will need to create a document explaining how your business deals with data. Known as Fair Processing Notices (FPNs), these documents should be displayed prominently such as on your website. They should detail how you capture data, how you process and store it, and how an individual can request access to it via a SAR. You should also ensure that any time you collect data you provide a link or include details of the FPN so an individual can understand how your business will use their data.