How Small Businesses Can Prepare For GDPR

The first step is understandably awareness, making sure that decision makers and key personnel within the business know what the legislation is and the impact it is going to have.

The next step is to map out the personal data you hold, where it came from and who it is shared with.

It may be prudent to hold an information audit to clearly map all of this data.

You should review the privacy statements and notices and plan for any required changes prior to the implementation date.

Check your procedures to ensure they cover all the rights individuals have.

Particularly those surrounding the right to have personal data deleted or provided digitally.

Update your data access procedures and plan how to handle requests within the new GDPR timescales.

You should identify the lawful basis for your GPDR compliant processing activity, document it and update your privacy notice to explain it.

Review how you seek, record and manage the way people consent to you storing their data. Update existing consents that do not meet the GDPR standard.

Review whether your business requires age verification or parental/guardian consent for any data processing.

What would you do if there is a data breach? This step involves making sure you have the right procedures in place to detect, report and investigate personal data breaches.

Get comfortable with the ICO’s code of practice on Privacy Impact Assessments and the latest guidance from the Article 29 working party.

It is important that you designate someone to take responsibility for data protection compliance within your organisation. You should consider whether you are required to formally designate a Data Protection Office (DPO).

If you operate in more than one country you should determine the lead data protection supervisory authority.