If you’re reading this, you likely run or work for a small business and are concerned with the status of your GDPR compliance. Our aim here at CaPS is to take the worry and time out of your GDPR compliance activities. We aim to bring added value to the table and ensure you can spend your time concentrating on growing your business.
A common misconception among many small business owners is that the GDPR doesn’t apply to them. The most common myth is ‘I have under 250 employees, so it doesn’t apply to me’. Unfortunately, this isn’t the case, if you are processing data from within the EU, or processing the personal data of an EU citizen from anywhere in the world, then the GDPR applies to you!
Keeping personal data secure is a positive signal to your clients and supply chain that you take your responsibilities seriously and can only enhance your reputation as well as build confidence in your client base. From experience, we at CaPS know that a review of processing operations, especially retention of physical data can have a tangible impact on costs associated with outsourced storage. So, we can demonstrate that having an effective and compliant data privacy regime can contribute to the bottom line!
You should make sure that decision-makers and key people in your organisation are aware that the law is changing to the GDPR. They need to appreciate the impact this is likely to have.
You should make sure that decision-makers and key people in your organisation are aware that the law has changed and the GDPR is now in effect. They need to appreciate the impact this is likely to have.
You should document what personal data you hold, where it came from and who you share it with. You may need to organise an information audit.
You should review your current privacy notices.
You should check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format.
You should update your procedures and plan how you
will handle requests within the new timescales and provide any additional information.
You should identify the lawful basis for your processing activity in the GDPR, document it and update your privacy notice to explain it.
You should review how you seek, record and manage consent and whether you need to make any changes. Refresh existing consents now if they don’t meet the GDPR standard.
You should start thinking now about whether you need to put systems in place to verify individuals’ ages and to obtain parental or guardian consent for any data processing activity.
You should make sure you have the right procedures in place to detect, report and investigate a personal data breach.
You should familiarise yourself now with the ICO’s code of practice on Privacy Impact Assessments as well as the latest guidance from the Article 29 Working Party, and work out how and when to implement them in your organisation.
You should designate someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements. You should consider whether you are required to formally designate a Data Protection Officer.
If your organisation operates in more than one EU member state (ie you carry out cross-border processing), you should determine your lead data protection supervisory authority. Article 29 Working Party guidelines will help you do this.
Still feeling a little overwhelmed? Start by watching our Introduction to GDPR YouTube videos presented by CaPS director Derek Mann
Being a small business ourselves, we understand the importance of adding value to your business. This is why we develop and tailor our services to suit your needs. No matter if you need us to take control of your GDPR compliance or offer ad-hoc consultancy services we can provide you with cost-effective solutions.
Get in touch via our contact page for a no-obligation discussion to see how we can work together.