EMAIL                info@create-envie.com

SKYPE               @EnvieBrandSupport   

CALL                  +44 7725 844 846  

   

Contact Us
© 2018 Envie | All Rights Reserved | Powered by Envie
  • Blogger - White Circle
  • LinkedIn - White Circle
  • Facebook - White Circle

The Ultimate GDPR Checklist for SMBs

September 5, 2018

What are the General Data Protection Regulations?

 

The General Data Protection Regulations (GDPR) were introduced in May 2018, replacing the former directive, the Data Protection Act 1998. The DPA was established pre-social media and before online data became the valuable asset that it is today.

 

The General Data Protection Regulation (GDPR) was drawn up by the EU, strengthening the data rights of EU residents and harmonising data protection laws across all member states.

What does the General Data Protection Regulations protect against?

 

Overall the GDPR increases the potential fines organisations face for misusing data, and makes it easier for the public to recover what data an entity holds on them. It also gives them the right to order that data be destroyed.

 

The GDPR essentially gives consumers:

 

‘The right to be informed’

‘The right to make changes to your data’

‘The right to be forgotten’

'The right to view your data’

‘The right to limit how your data is used’

‘The right to say no’

 

What is personal data?

 

‘Personal data’ is anything that allows a living person to be identified (name, address etc). ‘Sensitive personal data’ is a special sub-category (religion, political views, sexual orientation etc). Both of which are protected under GDPR.

 

Implications for non-compliance

 

The Information Commissioner’s Office (ICO) enforces GDPR in the UK. The penalty for non-compliance is either 2% of your annual turnover or €10 million for failing to report a data breach within 72 hours of becoming aware of it.

 

Then there is the fine for a breach of personal data itself. Data breaches under GDPR could be punished by a maximum fine of 4% of your organisations annual turnover, or €20 million. Whichever is higher!

 

The GDPR also states the fines will be ‘proportional’ so you are unlikely to face this fine for a minor breach.

 

Identifying which type of business entity you are: "Data Controller" vs "Data Processor"

 

According to the ICO, a "data controller" means a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be processed. 

 

A “data processor”, in relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller. 

 

Data Controller's Ultimate Checklist for GDPR Compliance

 

PART ONE: Lawfulness, fairness & transparency:

1. Data Flow Audit

 

Has your business conducted an information audit to map data flows?

 

Once you have audited the flow of information within your business, you will then be able to identify any risks.

 

2. Personal Data Review

 

Has your business documented what personal data you hold? Where it came from? Who you share it with and what you do with it?

 

3. ‘Lawful Basis’ Review

 

Has your business identified your lawful basis for processing and documenting your data?

 

There are 6 lawful bases:

 

(1) Consent for a specific purpose;

(2) Contract: processing is necessary for a contract you hold with an individual;

(3) Legal obligation;

(4) Vital interests (eg in protecting a person’s life);

(5) Public interest;

(6) Legitimate business interests (as long as the individual knows what you are doing with the data, you can hold it in order to perform business with them.

 

4. Consent

 

Has your business reviewed how you ask for and record consent?

 

Keep consent requests separate from other terms and conditions. Seek positive opt-in options such as unticked opt-in boxes. Avoid making consent a pre-condition of service. Tell individuals they can withdraw consent at any time and how. Name your business and any third parties that rely on this consent.

 

5. Children’s Consent

 

Do you have consent to process children’s personal data for online services?

 

If you are relying on ‘consent’, children only over the age of 13 can provide that legitimately. You will therefore need to make reasonable efforts to ensure you know if a child is over 13. Parental consent will be needed for anyone under this age.

 

6. Vital Interests

 

If required to process data to protect ’vital interests’, has your business has clearly documented its use?

 

7. Legitimate Interests

 

If relying on ‘legitimate interests’ as a basis for holding data, has your business applied the 3-part test and can demonstrate that you have fully considered and protected individual’s rights and interests?

 

Three-Part Legitimacy Test:

 

1) Identify the ‘Legitimate Interest’ as outlined in the GDPR: eg data from a: client; for marketing; employees; IT team for security purposes

 

2) Apply the necessity test: does holding the data, further that interest? Is it a reasonable way to go about it?

 

3) Apply the balancing test: consider the impact of your processing and whether this overrides the interest you have identified. Basically, would people expect you to use the data in this way?

 

8.  Data Protection Fee

 

Is your business registered with the Information Commissioner’s Office?

 

PART TWO: Individual's rights:

1. Right to be informed

 

Has your business informed individuals that you are collecting their data, why you are processing it and who you are sharing it with?

 

You should publish this privacy information on your website and within any forms or letters you send to individuals. The information must be: transparent; concise; written in clear and plain language; free of charge.

 

2. Communicate the processing of children’s data

 

If your business offers services directly to children, you need to communicate privacy information to them in a way that they will be able to understand.

 

3. Right of access

 

Has your business got a process in place to recognise and respond to individual's requests to access their personal data?

 

Individuals have the right to obtain: (a) confirmation that you are processing their data; (b) access to their personal data; (c) any supplementary information as requested.

 

4. Right to rectification and data quality

 

Has your business implemented processes to ensure that the personal data you hold remains accurate and up to date?

 

5. Right to erasure including retention and disposal

 

Individuals have the right to be forgotten. Have you implemented processes to ensure that you can delete data securely?

 

6. Right to restrict processing

 

Has your business got procedures in place to respond to an individuals request to restrict the processing of their personal data?

 

When processing is ‘restricted’ you are permitted to hold the data, you just cannot continue to process it. You can retain just enough information about the individual to ensure that the restriction is respected in the future. Eg ‘unsubscribers’ of your website.

 

7. Right to data portability

 

Has your business implemented processes to allow individuals to move, copy or transfer their personal data from one IT environment to another in a safe and secure way?

 

8. Right to object

 

What if an individual objects to your businesses handling of their data? Do you have a procedure in place in this instance?

 

You must inform individuals of their right to object “at the point of first communication” and present it separately from other information on rights clearly laid out in your privacy notice. Individuals can object verbally or in writing.

 

9. Rights related to automated decision making including profiling

 

Have you implemented safeguards for individuals against the risk that a potentially damaging decision is taken without human intervention.

 

PART THREE: Accountability & governance:

1. Accountability

 

Has your business established an appropriate data protection policy?

 

1) The policy should be created, approved by management and communicated to all staff

2) Your business should monitor compliance with this policy regularly

3) Your business should provide Data Protection awareness training for all staff

 

2. Processor Contracts

 

Has your business got a written contract with any processors used?

 

You are directly liable for any compliance issues. Therefore you need to have a contract in place with all processors in order to cover you if they become in breach of that contract.

 

3. Information Risks

 

Does your business manage information risks in a structured way so that management understands the business impact of personal data related risks and manages them effectively?

 

You need a senior member of staff with responsibility for managing risks, coordinating procedures put in place to mitigate them and for logging and risk assessing.

 

4. Data Protection by Design

 

Has your business implemented appropriate technical and organisational measures to integrate data protection into processing activities?

 

5. Data Protection Impact Assessments

 

Do you have measures in place to deal with breaches as and when they arise?

 

You must do a DPIA before you begin any type of processing which is ‘likely to result in a high risk’.

 

6. Data protection officers

 

Have you nominated a data protection officer (DPO)?

 

DPO responsibilities include: (i) informing/advising employees and the organisation on GDPR; (ii) monitor compliance; (iii) advise on GDPR impact assessments; (iv) be the contact point for all breaches etc.

 

7. Management responsibility

 

Do key decision makers demonstrate support for GDPR and promote a positive culture of data protection compliance?

 

PART FOUR: Data security, international transfers and breaches:

1. Security policy

 

Do you handle/process data in a way that is secure?

 

If you are a small business, you may not have to even invest in a large information security system – it could be completely free. You just need to make sure you have a secure procedure in place, and you have made it explicit in your privacy policy.

 

2. Breach notification

 

Does your business have effective processes in place to identify, report, manage and resolve any personal data breaches?

 

There is a duty on all organisations to report certain types of personal data breaches to the ICO.

 

3. International transfers

 

Your business ensures an adequate level of protection for any personal data processed by others on your behalf that is transferred outside the European Economic Area.

 

Data Processor's Ultimate Checklist for GDPR Compliance

 

PART ONE: Lawfulness, fairness & transparency:

1. Data Flow Audit

 

Has your business conducted an information audit to map data flows?

 

Once you have audited the flow of information within your business, you will then be able to identify any risks.

 

2. Personal Data Review

 

Has your business documented what personal data you hold? Where it came from? Who you share it with and what you do with it?

 

PART TWO: Accountability & governance:

1. Accountability

 

Has your business established an appropriate data protection policy?

 

1) The policy should be created, approved by management and communicated to all staff

2) Your business should monitor compliance with this policy regularly

3) Your business should provide Data Protection awareness training for all staff

 

2. Data protection officers

 

Have you nominated a data protection officer?

 

DPO responsibilities include: (i) informing/advising employees and the organisation on GDPR; (ii) monitor compliance; (iii) advise on GDPR impact assessments; (iv) be the contact point for all breaches etc.

 

3. Management responsibility

 

Do key decision makers demonstrate support for GDPR and promote a positive culture of data protection compliance?

 

4. Data Protection Impact Assessments

 

Do you have measures in place to deal with breaches as and when they arise?

 

You must do a DPIA before you begin any type of processing which is ‘likely to result in a high risk’.

 

5. Data Protection by Design

 

Has your business implemented appropriate technical and organisational measures to integrate data protection into processing activities?

 

6. Training & Awareness

 

Does your business provide data protection awareness training for all staff?

 

7. Processor Contracts

 

Has your business got a written contract with any processors used?

 

You are directly liable for any compliance issues. Therefore you need to have a contract in place with all processors in order to cover you if they become in breach of that contract.

 

8. The use of sub-processors

 

Has your business sought prior written authorisation from the controller before engaging the services of a sub-processor? Is there a contract in place?

 

9. Operational base

 

Does your business operate outside of the EU? If so, you should have appointed a representative within the EU in writing.

 

10. Breach notification

 

Had your business got an effective process for identifying and reporting any personal data breaches to your controller?

 

PART THREE: Individual’s rights:

1. Right of access

 

Has your business got a process in place to recognise and respond to controllers requests to access their personal data?

 

Individuals have the right to obtain: (a) confirmation that you are processing their data; (b) access to their personal data; (c) any supplementary information as requested.

 

2. Right to rectification and data quality

 

Has your business implemented processes to ensure that the personal data you hold remains accurate and up to date?

 

3. Right to erasure including retention and disposal

 

Individuals have the right to be forgotten. Have you implemented processes to ensure that the controller can delete data securely?

 

4. Right to restrict processing

 

Has your business got procedures in place to respond to an controller's request to restrict the processing of their personal data?

 

When processing is ‘restricted’ you are permitted to hold the data, you just cannot continue to process it. You can retain just enough information about the individual to ensure that the restriction is respected in the future. E.g. ‘unsubscribers’ of your website.

 

5. Right to data portability

 

Has your business implemented processes to allow controllers to move, copy or transfer their personal data from one IT environment to another in a safe and secure way?

 

PART FOUR: Data security:

1. Security policy

 

Do you handle/process data in a way that is secure?

 

If you are a small business, you may not have to even invest in a large information security system – it could be completely free. You just need to make sure you have a secure procedure in place, and you have made it explicit in your privacy policy.


Disclaimer: The information herein is merely a guide. You should consult a legal representative to ensure you are compliant with the GDPR guidelines.

 

Download GDPR Checklist

 

Want help implementing your GDPR strategy? Envie Digital Marketing have got you covered. Email us at info@create-envie.com or call us on +447725844846. 

 

 

Tags:

Share on Facebook
Share on Twitter
Please reload

Featured Posts

Getting started with your PPC keyword strategy

October 11, 2018

1/5