The new GDPR, General Data Protection Regulations come into force on May 25th 2018. While the subject is all the rage right now and it's scope is wider than the English channel, what does it mean for small business, micro businesses and sole traders? If your after small business GDPR help and guidance, then let me point you in a few directions on what you need to do for your small business.
The ICO, Information Commissioner's Office has a bunch of fantastic tools in helping you get GDPR compliant so we will take a look at those. I will bring your attention to some of the main things you need to do for your small business & GDPR. If you need professional advice about the GDPR and your business I suggest you seek professional legal advice.
Step 1: Do a data protection self assessment
Use this free online Data protection self assessment toolset to ensure your business is ready for all the GDPR changes and obligations. This toolset comprises of a few online quiz checklists to help you define what you need to do and the information you need to gather / document.
This toolset may ask if you need to do an information audit, to define what personal data you hold, process and manage. Basically this is an audit of what personal information comes into your business, how its processed and handled when it gets there and if it exports out of your business at all (i.e. is shared with anyone else).
Step 2: Get your internal business ready
Once you define your GDPR compliance requirements you will need to make any adjustments to your business practices. This will be different for every business, so use the self assessment tool to highlight what you need to look at.
Step 3: Do you employ less than 250 staff members?
If so, you are exempt from record-keeping obligations of the GDPR, unless you process criminal convictions, offence data or special category data - processing is likely to result in a risk to the rights and freedoms of individuals - or processing is not occasional (i.e. are more than just a one-off occurrence). Read more here from the ICO.
This question helps you define what your record keeping obligations are.
Step 4: What is your Lawful Basis for processing data?
Use this Lawful basis interactive guidance tool to figure out your bases to use. Its free to use and is provided by the ICO.
Once you know your lawful bases, you will also need to explain in your privacy notice why you use that lawful basis, the different ways you process personal data under that basis, your data retention period for that data and if you share that information with third parties and if so whom. So make a note of each of those for each legal basis you will use.
Step 5: Do you need to pay the ICO a Data Protection Fee?
Do you need to pay and register with the ICO a Data Protection Fee? If your not sure, do this online self assessment quiz and it will tell you if your required to register or if your exempt.
If you are exempt you may want to add a small statement to your privacy notice explaining your exemption position.
Step 5: Add cookie control to your website
You should add cookie control to your website. This is the little message that visitors see when they first visit your site, asking them to accept cookies before viewing. To do this, visit www.civicuk.com/cookie-control and register for your own API key. Follow the instructions on screen to implement Civic Cookie Control into your website, or ask your web designer. Alternatively ask me to add Cookie Control to your website.
Get your website GDPR ready & make changes
You may need to change how your website obtains or processes information / consent. The GDPR requires a change to the ways we process information or request consent, so your websites forms, features or control panels that require personal information may have to change.
Does your website have a "sign up to newsletter" form and button? Does it explain what the user is signing up form on that page?
Does your site have an enquiry form, with a "newsletter sign up" tick box already ticked to encourage sign ups? Well you can't do that anymore under GDPR.
Check your site and speak to your web designer about what you need to change, or contact me and I'll help you with it.
Your website privacy notice will need updating as required by the GDPR. You will need to explain to users a variety of things relating to personal data processing. For example, a main point is explaining to users which lawful basis you will use to process their personal data. Other things like the users rights need to be in your privacy notice, you can read the ICO's privacy notice guidance here.
This is not an extensive guide
This guide and small business GDPR help sheet is not an extensive guide. It is mainly focused at small business and micro businesses and explains what they need to do.
If you require professional help with your GDPR compliance I suggest you seek professional legal advice with GDPR and data protection specialists.
Need help with your website & GDPR Or Call me for a chat on 07833 701150