GDPR Compliance for small business - a 28 STEP CHECKLIST (available in PDF)

download.jpeg

Written by:

Here is our 28 step action plan to get prepared for GDPR (The EU General Data Protection Regulation).

Print this off, make it your check list, and work through it now as it is past May 25th 2018!

Don't Panic. You've got this.

We also made a Google Doc version of our GDPR Checklist here.

Download our simple GDPR Compliance Checklist PDF here

"Probably the most helpful thing I've found regarding this. I followed each of the steps and feel very much ready for GDPR now. Thank you!!!!"
- Steve


Updated March 12th 2019.

  1. Create a data protection compliance folder on your company file system. This will form the basis of your proof of compliance.
    Every step you take towards GDPR compliance should be documented to be used in your defence if necessary.

  2. Keep notes of internal meetings on GDPR, and decisions made on GDPR

  3. Name a data protection officer

  4. Map your data, i.e. establish what data your business collects and where (fill in this questionnaire for a quick way forwards here)

  5. Separate the data into categories

  6. Identify the lawful basis for processing each category of data

  7. Refresh consent where necessary (and consult with 3rd party data processors like Mailchimp to ensure they have established compliance too!) - BE CAREFUL as how you do this could be breaking the law (i.e. Honda & Flybe fell foul of the law here)

  8. Implement a policy to identify and handle any data subject access requests

  9. Implement a policy to identify and handle any data erasure or corrections requests

  10. Create a document of non-compliance issues to show awareness of compliance omissions and to plan towards total compliance or at least thorough risk mitigation.

  11. Create a password policy for all users (staff, website etc)

  12. Contact your entire database (marketing or otherwise) before the 25th May 2018 (NOT AFTER) to ask them to opt in to the various types of communication you plan on sending.
    The simple test here is: Would someone expect to receive an email about X from you?
    A member of a swimming pool would expect to receive updates on opening time (so that's still fine), but do not send them information about new swimsuits in your shop unless they've explicitly said they want that, as an example.

  13. Keep a record of consents for those who have already opted-in, and those who are still to do so.

  14. Create a retention schedule for data. When the data has reached the end of its retention period destroy it in accordance with a data destruction policy (minimise the data you hold)

  15. Train your staff so they ALL understand what constitutes personal data (bonus points for practicing case scenarios with your team and for putting together an Staff GDPR Awareness Status Report to note down who has participated in which training)

  16. Train your staff to identify a breach (plus how to avoid email scams)

  17. Have a breach response policy

  18. Create a data breach log to record events such as "Stacey emailed the client list to Tim Smith in the finance team not Tom Smith in the sales team".

  19. Ensure your website is HTTPS (security by design)

  20. Ensure your office computers are encrypted (security by design) - Go to Settings > Security & Privacy > FileVault on a Mac to do this.

  21. Review and document the physical security of data (USB disks, paper filing systems behind lock and key etc)

  22. Securely lock away any personal data

  23. Create an asset register of the serial numbers of all your computers regardless of contents - you may need to prove to the ICO that a stolen computer could not have had any personal data on it

  24. Consider which individuals should have access to the data on each device

  25. Update your website's privacy policy (to include identity of the controller purpose of the processing and the legal basis, the legitimate interest, any recipient or categories of recipients of the personal data, the right to withdraw consent at any time, and the data retention period)

  26. You may also want to get specific and mention which cookies are on your website, and give users the option to opt-out. This is HUGE, as it means you'll need to gain opt-in consent before providing a user with a Google Analytics tracking script. You can view the ICO's cookie policy, and you may want to use the Cookie Control tool by Civic UK which we are using on our website too.

  27. Have an extra pair of eyes look through what you’ve done, both technical and legal, in case there are some simple further steps which you need to take before you’re fully compliant. Our legal partners are LexSolutions.

  28. If you process data within the UK - consider registering with the ICO (Starting at a £55 annual fee + £20 if you're in the direct marketing industry)

Subscribe to our data security mailing list

* indicates required

Introduction to GDPR

The aim of this article is to help small businesses, and your industry, to understand GDPR.

There will be significant changes to the way we behave and do business.

By the 25th May 2018 you’re supposed to be compliant. People are asking if there’s some grace period. The information commissioner's office (ICO) have said, "There will be no grace period" because the EU said, “you’ve all had long enough”.

Much of this is a refined version of the 1988 act, and 1986 data protection laws we had in the UK.

What’s different is people didn’t really know about it (despite breaches by Equifax and Talk Talk and their fines). But people have thought ‘ this doesn’t really affect me’.

The EU are building on existing legislation primarily because of the digital world we live in and the risks to individuals, given the data they’re holding on you. 

They want to minimise the chance of data being unfairly disclosed.

Note: If you are holding and processing data, information on any living identifiable human being, you are what's now called a “Data Controller”.

Holding information on other corporations is not affected in the same way by GDPR and can be disregarded somewhat for the time being. It is mostly about individuals' personal data.

Data Controllers have never had to report breaches, but the new law states any breach needs to be reported to the ICO within 72 hours. If there’s a breach at all, you’ll need to report it. Friday evening or not - it needs to be reported.

If you accidentally email the wrong person, and there’s nothing in that email which could affect the personal information you’ve mis-sent, it wouldn’t necessarily need to be reported.

However, emailing one client about another client’s purchase, including how they paid and how much they paid, would be reportable.

The GDPR Fine

The maximum fine for non compliance could be up to 20m Euros or 4% of worldwide turnover - whichever is greater

The aim of this is to demonstrate the importance of compliance, but this regulation is not about revenue generation; fines will be a last resort, but if your paperwork is not in good order then an investigation could quickly be destined for monetary punishments.

Note: The ICO has issued draft guidance on how it will take regulatory action to data breaches post GDPR. They talk of an approach proportionate to the size and sensitivity of a breach, and in guiding businesses towards compliance. In other words they're not defaulting to the fine (yes, breathe a brief sigh of relief!) but it's still important to get compliant ASAP.

How can your business become GDPR compliant?

You need to know what data you hold, where its stored, and how it’s managed.

Even for smaller organisations you need to look at how you’re holding data. 

This is called 'data mapping'.

Do you need agreements in place with clients you’re already dealing with?

If you hold their information in the cloud, you must have an agreement with the person who’s holding the data. The holder of the server, i.e. the cloud, would be counted as a data processor. You must have a written agreement.

Under the old data protection laws, you didn’t need a written agreement with clients and data processors, now you do.

Two concepts worth bearing in mind are data protection by design and data protection by default. The EU and ICO are using these terms a lot.

Data protection by design

You now have awareness of the necessity to comply with data protection laws, and you are therefore putting designed systems in place to comply. This makes you accountable for the systems you'll have in place by the 25th May 2018.

Staff must know what they should and shouldn’t do.

The people you’re sharing data with should know what they should and shouldn’t do too.

A data breach even for a small company such as revealing a purchase by a celebrity or a mistaken email for example, will need to be reported. 

Mistakes can happen, and that’ll be accepted to some extent.

What won’t be accepted will be that you’ve done nothing at all to comply, ie. your processes haven’t changed to comply with GDPR.

Should I tell someone their data has been breached?

Certain breaches should definitely be reported to the person affected.

If it’s such you’ve had to report it to the ICO then you should at least consider contacting the breached person too.

Data protection by default

Hold the data for the minimum amount of time you needed to. Do you hold more data than you actually need to? 

Do you need a list of all the goods a customer has bought over the last 10 years? 

Minimise your data

If there is a breach, there will be therefore be as little data as possible affected by this as possible.

GDPR and brexit

In practical terms GDPR will still apply post brexit. The EU’s position is that if you’re processing data, even if you’re marketing to individuals in the EU, you’ll need to comply with GDPR.

It’s a great opportunity to review your data, and to contact your clients.

Example: “We’re updating our database and just wanted to check you still want to receive X Y and Z” and the discussion begins, including insights into what this person IS interested in receiving from you. Just because they bought something from you doesn't automatically mean they want to receive invites to your events or regular updates with your news.

The GDPR law is not about fines - it’s about putting the customer/citizen first. If you align with that viewpoint, then there are some business opportunities which can be presented to you.

This legislation is the biggest shake up of data protection laws in 20 years. The effect and work needed in order for you and your business systems to comply with these new laws may be big or small. It depends on where you’re starting from.

Do you need a data protection officer?

Every business is encouraged to have a data protection person who is in charge and will take responsibility for making sure the right systems are in place, deciding if something should be reported, and ultimately reporting it.


What does GDPR actually mean to your business?

Whether you have 1 or 100 members of staff, GDPR applies. There are no exemptions for small businesses.

When it comes to data protection, research suggests smaller businesses will be the least prepared.

They simply don’t have the time or resources to dedicate to bringing their systems up to GDPR compliance standards.

The reality is small businesses process just as much information as large companies.

Under the accountability principle, the data controller (you) are responsible for demonstrating GDPR compliance. This means if you are a small business owner, you are responsible for demonstrating GDPR compliance.

It’s an administrative nightmare with fears compounded with the possibility of large fines, warnings, reprimands and corrective orders.

Such consequences will be in the public domain and therefore easily picked up by the media. The risk of damaged reputations is very real.

If you streamline the data, your efficiency could increase, and you could get a greater return.

Begin cutting back the number of people who are receiving your emails today.

A. Raise awareness of GDPR within your organisation

  • Is there an awareness of what constitutes personal data?

  • Do employees understand how personal data can be used?

  • Put in place adequate training for staff.

Your employees could be your biggest risk to GDPR.

B. Establish what personal data your business collects, stores, uses and sends out

Separate the data into categories - customer prospective customers, staff, third party suppliers, business contracts, prospective employees.

C. Audit the data identified

  • Whose data is it?

  • What is the data you're holding?

  • When did your business come into possession of this data? How long has the data been retained for? 

  • Where did you receive the data from? 

  • If data was obtained from a 3rd party, do you have written assurances from them that they’ve got consent to own, and share that data?

  • Why do you have the data?

Examples of this would be IP addresses, telephone numbers combined with a name, bank details.

Data minimisation means: don’t keep what you don’t need.

You need to have a specific, explicit and legitimate purpose to hold and use that data. You must not process it beyond that purpose.


You must identify the lawful basis for processing each category of data

Below are the options available to claim WHY you hold data. Every piece of data should be attributable to one lawful basis of processing. You’ll need to crosscheck all the items of data you hold against the below.

  • Contractual relationship (is it necessary because it’s part of a contract, or they’ve asked you to take specific steps before entering into a contract)

  • Legal obligation (employer needs personal data in order to disclose salary details to HMRC)

  • Most flexible: Legitimate interest (interest and fundamental rights of the individual must be taken into account, balanced their rights with your interests).

  • Vital interest (is it necessary to protect an interest, i.e. someone has an accident resulting in life threatening injury, disclosure of medical records would then be needed.)

  • Public interest (official functions must have a task or basis clear in form)

  • Consent of the individual (see below)

Under each category - note how long data will be kept for.
 

Consent of the individual

  • Check your opt-in/consents.

  • Is the consent freely given, specific, informed, unambiguous and a clear affirmative action?

  • Refresh existing consents if they do not meet GDPR requirements.

  • Consent should be obtained for each processing activity (yes, this might mean several tick boxes on your forms from now on - tough, that's just how it is now! Those tick boxes must be unticked by default too and perform a positive opt in).

  • Keep a record of consent (ideally the date & time, wording of the consent they ticked, and the version number of the privacy policy that was in place at the time).

If your current consent doesn’t meet GDPR consent standards, then you should refresh their consents.

If using consent of the individual as lawful basis for holding data, then there needs to be a proper process for them to withdraw their consent at any point.
 

There are many reasons you could process data without explicit consent (via a contract etc). The general way used to gain consent is with a checkbox. 

To reiterate - individual's consent under GDPR must be 

  • Freely given

  • Specific

  • Informed


A positive indication of agreement (this is why having an unsubscribe button cannot be inferred as consent. Unsubscribe links are NOT positive indicators of agreement, they are the presentation of an opt-out, which is NOT the same thing).


Enhanced personal rights

As you likely know, the basis of GDPR is greater empowerment for the individual with regards to their personal data. Post GDPR individuals will have these enhanced personal rights:

  • The right to erasure i.e. the right to be forgotten.

  • The right to rectification

  • The right of data portability

  • The right of access - i.e. the new data subject access requirements (this is where people ask you to let them know what data you hold on them, and you must be able to tell them)

You must implement policies to identify and handle any data subject access requests.


Data access requests

Individuals used to have to pay £10 for this.

This used to act as a deterrent to data subject access requests by people but this deterrent will now been removed under the GDPR.

Timeframe for compliance with data subject access requests has decreased under GDPR and you’ll have to respond to that request within 30 days. Your data should therefore be in a very organised fashion.

Data transfers outside of the European Economic Area

If you need to transfer data outside of the EEA, you’ll need to take a look at the below.

Data transfers are prohibited, if they don’t have an adequate level of protection.

If they’re not approved, it is possible to transfer the data if certain measures are taken.

Safeguards – adding data protection clauses to your contracts for example (this can be grabbed from the European Commission). 

Terms and conditions and supplier contracts

Where a data controller uses a data processor it needs to have a written contract in place.

Tighten up contracts between data controllers and data processors to ensure that they are compliant with the GDPR and aware of their obligations and liabilities. 


Review and update current policies and proceDures

Does your privacy policy meet GDPR requirements in Article 13 and 14? 

It should include:

  • Identity of the data controller

  • Purpose of the processing and the legal basis.

  • The legitimate interest in the data.

  • Identify any recipient or categories of recipients of the personal data

  • The right to withdraw consent at any time

  • Retention period


Notification of a data breach

  • Have a breach response policy.

  • Educate your staff on how to spot and report a breach.

  • Create a data protection compliance file

  • Keep record of consents

  • Keep notes of internal meetings and decisions on data protection

  • If the ICO comes knocking - you can then show that you’ve looked into this.

Compliance with GDPR is ongoing

  • Regularly review personal data

  • Create a retention schedule for data and when the data has reached its retention period. Destroy it in accordance with a data destruction policy - this is why you kept a record of when the consent was given!

Review the physical security of data

  • Is data securely locked away?

  • Consider which individuals have access to the data.

  • Minimise the data you hold.


Cyber security

You as individuals, company owners, employees, need to fully understand that when you send an email, when you access a file, what’s actually happening there. By understanding it, you can put plans in place to comply.

Some organisations will just delete all data after a year. If you came looking after that time, it would be gone. They had so much data that was their way of dealing with it.

  • Information security is not only about technology.

  • Information security is about protecting your business assets.

  • Information is one of the most valuable assets in every organisation and every organisation relies on information to support its business activities.

Increased media attention on high profile security failures. The amounts of breaches are in the hundreds of thousands now. Right now there are no obligations on reporting. Come 25th May 2018 you must report it.

  • You have to know about it.

  • You have to report it.

  • You’ll then have to go through the processes on what data was stolen, what’s missing.

The big thing is many companies may already have been breached, they just might not know it.
 

Who might attack your business?

  • Criminal organisations

  • Politically motivated hacktivists, organisations or agencies

  • Insiders/Employees (could they sell it to competitors?)

  • Someone unexpected who is doing it for fun or interest

Impact of a security breach

  • The data and the fact you were breached will be in the public domain

  • Damage to your reputation

  • Loss of client confidence

  • Possibility of regulatory fines

  • Direct financial loss

  • Loss of competitive advantage

Emails

Email is the biggest single risk to organisations really. Once you send an email, there’s an interaction with someone at the other end. Some one else now shares the data and the files that you sent them. Once they have it, it's out of your control. 

It's also the most common entry point for malicious software, via attachments or links in emails.

Malware

Malware is software that is specifically designed to disrupt or damage a computer system.

It’s just like someone driving past your shop and throwing a brick through your window. They don't care who you are or what your business does, they just want to cause damage.

Malware comes from:

  • Unsolicited email attachments

  • Nefarious websites

  • Some software downloads


Ransomware

Infects a computer system, prohibiting the use of data until the user pays a ransom to have the malware removed. 

An example was when the NHS were publicly attacked. They had the choice to either pay the fine or rebuild all their systems.

The result for the NHS was huge downtime, fortunately a good samaritan found a kill-switch for that attack, but most businesses are not that lucky.

For some organisations part of their IT strategy is to set up a bitcoin account so if they get attacked, they could pay the hackers really quickly. This would minimise their downtime in the short run.

Clearly we wouldn’t recommend that. It would be far better to undertake basic IT security processes, particularly with regards to passwords.

Before clicking on any link, hover over the link, and see if it is bringing you to the destination it is purporting. Avoid any links that do not go to a domain you recognise.

Watch out for simple character substitutions in both domains and email addresses. 0’s instead of O’s is a common example.

Passwords

The easiest way to gain access to a system is under the guise of a legitimate authorised user.

Your business must have a password policy for every user.

Never ever ever share your password with anyone.

If I can gain knowledge of a password I can access a system with all the authority of the owner of the password. They can impersonate you, and leave a paper trial of chaos with your name on it.

  • A lower case password with 6 characters takes minutes to crack.

  • If you add two extra letters, and make two of them uppercase, it will take years to crack.

  • If you add one more character and a number, it’ll take thousands of years to crack.

  • Better yet, use a long passphrase, unique to each service, and store them in a secure password management tool (such as Passpack, 1Password, LastPass, Dashlane or KeePass), combined with two factor authentication (use the Authy apphere's a list of sites that support it).

That’s it for now regarding our GDPR info - but we have put a few common questions below, with associated answers, which you may wish to continue reading.

If not - get back to the top of the page and print off that checklist - using this article as your guide for each point!

GDPR FAQ

Q: Does GDPR apply to paper records as well as electronic records? 
A: Yes. It applies to anything and everything you use to hold personally identifiable data on individuals.

Q: If you have an email list of a few hundred clients, but there’s no formal consent. Do we have until May 25th to get the consent or become unable to store or use this data?
A: Correct, unless you can say that it’s in your legitimate interest (see lawful basis categories above). You must document it and justify it. If your basis is on consent, and your consent doesn’t comply with GDPR, then you need to refresh your consent or delete the data. If you’re providing a service, then your SLA should include this.

Q: Do I NEED consent to send marketing emails to businesses?

If consent is not being used as the lawful basis for marketing processing, consider using Legitimate Interest. In this case, you don't need any evidence of prior consent and are free to market to anyone as long as you follow the following rules. You therefore do not need consent forms either.

  • contacts have business email addresses

  • you have enough info on the contact to determine that the content of the marketing is relevant to the recipient

  • you periodically verify the contact details

  • you must provide an opt-out (unsubscribe) facility

If you want to market to personal email addresses (@gmail, @hotmail etc) they must be an existing client/subscriber or you will need to get consent.

Q: If every email has an unsubscribe link, is that good enough?
A: You have to have a positive indication of consent. No, that is not good enough - keep the unsubscribe link but go further.

Q: Can I use American companies like Mailchimp or Eventbrite?
A: You’re required to have a written agreement with them. You need to perform due diligence and find out where this data is stored. If it can’t be stored within the EEA, then you may want to consider another provider, or ensure they’re contractually obliged to take GDPR approved safeguards.

Q: If someone asks to be forgotten, can I keep some data if it’s important to my business?
A: If your data retention policy is forever, you need to know where that data is. You need to know where you’re archiving it, and where it’s archived to. If there is a legitimate cause for keeping that data for your business or legal needs, then you may be able to keep some of it. You’ll need to let them know what you’re keeping and why, and you’ll need to ensure it’s all documented.

Q: If I pass my accountant invoices, do I need an agreement with them regarding how they handle and process personal data?
A: Yes. A written agreement as of May 25th 2018.

Q: Do you have to go back through backups and remove unneeded or "opted-out" data from there too?
A: If you have access to it, control it, and are not retaining it for legitimate business purposes, or any other of the lawful basis categories above, then yes you should destroy it. At the very least, such backups should be contained within your data retention policy. Once that period runs out, backups should be destroyed in accordance with your data destruction policy.

Q: As a USA based company, I was curious to notice that you didn't have registering with the ICO as one of the steps to follow. Does that need to be done?
A: You only need to consider registering with the ICO if you are processing the data in the UK.
Note how that's different to processing data for individuals resident in the UK.  If personal data is being processed in the UK, then you'll need to register in the UK.

There are some circumstances where even if you process data in the UK don't need to register with the ICO - check via the ICO Registration Self Assessment tool.
In summary, consider ICO registration only when you process personal data within the UK, regardless of where the individuals are resident. 

If you don't process the data yourself, then you will need to check who processes personal data for you and where they do it! If it's within the UK then write to them and ask if they're registered. 

If they're already registered with the ICO, then that might be as far as you need to go. To find out for sure, you can contact the ICO on +44 (0)303 123 1113

You will need a UK contact for your registration, this might be the company you use to process that data. Find out if that company would be willing to use their address as the contact address on your registration to make things easier.

If personal data is processed somewhere else in the EU, then there may be a similar organisation to the ICO that you (or the company processing the data for you) should register with.

If personal data on EU individuals is processed outside of the EU then you'll need to ensure that the company has acquired an EU stamp of approval on how they handle data. You can read more about this here. This is referred to as 'International Transfers'.
 



If your business is looking for some technical support regarding GDPR - do give us a call on 020 7223 3390.

Our Data Security Team

NOTE that 3B Digital Ltd is a technical delivery house; we are not lawyers and our advice and guidance - especially in matters relating to data security and the like should be subject to legal review and approval.

Further resources

Previous
Previous

A 20 year "rebrand" - sharpening the 3B pencil

Next
Next

Missed the GDPR “deadline”..? What to do next…