Now that the dust has settled after the rush to comply with the 25 May deadline for GDPR, it’s probably worth taking the time to review your own business’s actions one more time to check that the important areas are covered. After all, we should all have a few extra minutes available now that we don’t have to wade through random emails from organisations that we can’t remember ever subscribing to.
For small and medium sized businesses, the steps required to comply with GDPR are not onerous. As with most legislation, there are areas open to interpretation - what is most important for a business is that it can demonstrate a meaningful attempt to comply with the spirit and principles rather than worrying about every item of small print buried in the legislation.
ICO registration: you need to register your business with the ICO unless you are a not-for-profit organisation such as a club or society. For micro and small businesses this is usually £40 per year, or £35 by direct debit. See https://ico.org.uk/for-organisations/data-protection-fee/
Lawful basis for processing: GDPR requires that your business has a valid ‘lawful basis’ to process personal data and that you state this in your privacy notice. This is in effect the reason why you process the data, for example because you have a contract with the client or customer, or because they have formally provided consent for you to do so. You can only opt for one lawful basis and if you decide to change it at any point you must have good reasons to do so and document these clearly.
- Review: establish a date for a periodic review (usually annually) of your business’s data processes and controls to ensure that they are compliant and to identity any areas requiring enhancement.
ICO has a helpful guidance page for micro, small and medium organisations at https://ico.org.uk/for-organisations/business/