How Do I Know my Small Business is GDPR Compliant?
All small businesses collect personal information as part of operating. This may be customers information, suppliers, staff etc so as a result you need to comply with data protection legislation. Failure to do so can have significant consequences including loss of reputation, loss of income and if there is a serious non-compliance issue, a significant fine.
Here are some of the things your small business should have in place to demonstrate you are GDPR compliant:
1. Website Privacy Policy
A policy which sets out how your small business uses personal information should be available on your website. It needs to include things such as how you secure personal information, the rights of individuals, where data is held, etc. You can read our blog post about privacy policies here
2 Lawful basis for processing
You should have a lawful basis (as set out in data protection legislation) in place for processing an individuals personal information. The lawful basis are consent, legal requirement, legitimate interests, vital interests, contract, and public task. You should be able to demonstrate that you have consent where the lawful basis is consent and for legitimate interests, that a legitimate interests assessment (LIA) has been completed. You can access our free webinar here
3. Data Security
Ensure you have proper security in place to protect the business information from unintended disclosure, theft or destruction. Think about how you secure devices such as laptops and mobile phones as well as access to your systems and storage.
4. Supplier Contracts
Where you are working with suppliers who have access to your business information, what due diligence are you undertaking to ensure that those suppliers have security and data protection practices in place? Do you have the appropriate contracts in place to meet the requirements of the data protection legislation?
5. Data Breach response
We all hope that organisations are not the subject of a data breach but it is so easy to send an email to the wrong person or any of the other common data breaches. It is important to be able to manage the response to a data incident properly. Failing to do so can be damaging for your business. You can get access to our data breach policy workbook here.
6. Policies and Procedures
It is essential to have policies and procedures covering your data protection compliance. As a minimum you need a data protection policy, website privacy policy, retention and destruction policy and data breach policy.
Our best advice is to take your time to get it right, it’s not a one-off thing. But also make it easy to understand and if you are unsure, then please contact us and we’ll be happy to help. You can book an initial call HERE.