A final word on GDPR

Now that the dust has settled after the rush to comply with the 25 May deadline for GDPR, it’s probably worth taking the time to review your own business’s actions one more time to check that the important areas are covered. After all, we should all have a few extra minutes available now that we don’t have to wade through random emails from organisations that we can’t remember ever subscribing to.

For small and medium sized businesses, the steps required to comply with GDPR are not onerous. As with most legislation, there are areas open to interpretation - what is most important for a business is that it can demonstrate a meaningful attempt to comply with the spirit and principles rather than worrying about every item of small print buried in the legislation.

ICO registration: you need to register your business with the ICO unless you are a not-for-profit organisation such as a club or society. For micro and small businesses this is usually £40 per year, or £35 by direct debit.

Transparency: update your privacy policy or notice and ensure that it is referred to in relevant communications, particularly any personal data collection forms or documents. The privacy policy must include a number of key items such as purpose and nature of data collected, how long it will be kept, the lawful basis of processing and the contacts for people to request details or changes in relation to their personal information held by you. See https://www.cow-shed.com/cow-shed-legal.html for an example.

Lawful basis for processing: GDPR requires that your business has a valid ‘lawful basis’ to process personal data and that you state this in your privacy notice. This is in effect the reason why you process the data, for example because you have a contract with the client or customer, or because they have formally provided consent for you to do so. You can only opt for one lawful basis and if you decide to change it at any point you must have good reasons to do so and document these clearly.

Documentation: you should prepare a brief written record of your data processing activities and review this with the relevant people in your business (which may be fellow directors, board etc). Micro and small businesses do not need to document all data processing activities - the focus should be on the areas referred to in the privacy policy and data security (including handling any breaches). A Data Protection Officer (DPO) does not need to be appointed unless you are processing certain types of sensitive data, but it is often a good idea to nominate an individual within the business to focus on data processes and controls.

  - Review: establish a date for a periodic review (usually annually) of your business’s data processes and controls to ensure that they are compliant and to identity any areas requiring enhancement.  

ICO has a helpful guidance page for micro, small and medium organisations.