6 Steps to Ensure Your Small Business Is GDPR-Compliant

In a data-driven world, it’s important to make sure your small business is handling customer information according to the GDPR requirements.

General Data Protection Regulation (jokingly referred to as Gosh Darn Privacy Rules) is a complex territory to navigate, and as a small business owner, you might not be sure if it applies to you. But in a data-driven world, it’s important to make sure you’re handling customer information according to the GDPR requirements. Rocket Lawyer’sCEO Charley Moore suggested the following steps to ensure you are GDPR-compliant:

  1. Understand processing of personal data: It is important for employers to be clear on the definition of “processing”, which can mean collecting, recording, organizing, storing, altering, disclosing, combining, restricting, destroying or erasing data. It is also essential to understand what your business does with the data on an internal and external level.Businesses must have a valid reason for processing other people’s personal data, which includes consent, performance of a contract, compliance with a legal obligation, vital interests of the data subject, and public interest.

  2. Determine how your business processes data. It is recommended that small businesses conduct a data audit of their company to understand the data they possess, what it’s used for, how it is stored, who the data is shared with, and who is ultimately responsible for it.

  3. Update all contracts and policies. It is necessary that all contracts and policies are updated to reflect a company’s privacy policy (including employment contracts). If a business has a website, make a website privacy policy. If a company employs staff, they should make a data protection and security policy. This indicates how a business and its staff will comply with GDPR. It also requires employers to provide more detailed information in the privacy notices, such as:how long data will be stored for;if data will be transferred to other countries;information on the right to make a subject access request; and information on the right to have personal data deleted or rectified in certain instances.

  4. Teach your staff the ropes. The owner of a business is not the only one responsible for handling user data, but the staff now needs to learn how to do so in a responsible manner and what procedures to use. This is especially true for data breach notifications; how will a company respond if data is lost or compromised? Who will be the person responsible to mitigate any damage and rectify the issue?

    If your business has an IT team, be sure to communicate with them to implement any procedures and technical measures to protect any personal data. If there is a data breach, an organization has 72 hours to report the occurrence to the Information Commissioner’s Office (ICO). The organization should immediately make a report on the ICO’s website and state what happened, why and how the breach occurred, and how the organization plans to resolve the matter and protect against future breaches.

    Additionally, companies will have to train staff on how to deal with subject access requests (SAR) in a timely manner. The new time limits stipulated under GDPR means that a business will need to respond to a SAR ‘without undue delay and in any event, within one month of receipt of the request’, down from 40 days under the Data Protection Act.

  5. Destroy documents after six years. All business contracts (including employee contracts and pension documents) and agreements are required to be retained for six years before they are destroyed, excluding the length of the contract. VAT records are also required to be kept for six years, in both physical and digital forms to assist with compliance.A company should destroy its documents if they have backup copies (in digital formats, which tends to be safer than hard copies) and/or if the information is no longer needed (provided it is not pertinent to company information, clients or employees).

  6. Keep records to lessens errors. Ensuring proper and accurate record keeping of all data will make it easier for companies to comply with GDPR. Though it is tedious, it will make for a structured approach to data processing, especially for small businesses, and will ensure that a company is audit-ready in the event that the ICO pays a visit.

    If a company has the resources to do so, hiring a solicitor to review its current agreements with customers, vendors and suppliers will let it know where it stands currently and what it needs to improve to be GDPR compliant.