So, you’re a small business or start-up. You know that you need to comply with the EU GDPR (General Data Protection Regulation), because you process EU residents’ personal data, but the trouble is, you don’t know where to begin.
We’ve put together this checklist to help you understand the GDPR and how you can start achieving compliance:
Understand your GDPR responsibilities
Everything else will flow from here, so it’s crucial that you understand your role as a data controller (if you determine how and why data is processed) and/or as a data processor (if you are responsible for processing personal information on the controller’s instructions). You should also appreciate whether you are responsible for other organisations’ compliance – controllers, for instance, are responsible for making sure any processors that work for them also comply with the GDPR.
Get to grips with your data
You can’t protect the personal data you hold unless you have a clear view of it and how it is processed. This is where software such as our Data Flow Mapping Tool comes into play, helping you map all the data flows within your organisation. You also need to understand the different types of personal information that come under the GDPR’s scope – from names and contact details to health information and financial data.
A key part of GDPR compliance is having a lawful basis to process personal data, and consent – which is one of the six lawful bases – can be a tricky one to manage (which is why you’ll see a lot of advice about examining whether you can use one of the other lawful bases instead).
If you do opt to use consent, it needs to be crystal clear: you must explain to the data subjects what information you are collecting and why – and they must actively agree to this and be able to remove that consent just as easily as they gave it.
Stringent storage and security
Take a good, hard look at the technologies and processes you have for both storing data and protecting your infrastructure. You are obliged to keep personal data suitably secure.
Check your supply chain
As outlined at the start, any third party to which you pass personal information for processing – such as an outsourced accountancy firm – is a data processor for your organisation, and needs to be GDPR-compliant, too. Do your due diligence by assessing these relationships, and ensure you have contracts with them that stipulate their responsibilities as data processors.
Train and educate
Make sure all your staff understand their individual responsibilities under the GDPR. You need a dynamic education and training plan that keeps people up to speed and ensures they all buy into the importance of GDPR compliance.
Need more help? Vigilant Software’s tools and consultancy are here to help guide your small business through GDPR compliance. Get in touch with us today to find out more about our GDPR Manager, which helps guide you through the arduous elements of GDPR compliance.