If you are a small or medium sized business finding that GDPR feels like an overwhelming task, focus of some key areas and objectives and get some of the important things off the list. Focus on ensuring you have:
the capability to respond to SARs (subject access requests) within the correct time of frame;
a procedure laid out for reporting data breaches to supervisory authorities within 72 hours;
agreed timescales on the retention periods of personal data;
a plan to carry out staff awareness training so that they can understand what personal data is and how it should be dealt with according to your GDPR compliant company policies.
Do an overall review of your data processing activities to be sure that you are processing data fairly and lawfully and for specified purposes only. Check that the data you are collecting is relevant and not excessive and that it is accurate and up to date, not kept for longer than necessary, protected by appropriate security and not transferred outside the EEA without adequate protection. These are the essential things you need to think about and act upon without delay!
Create or amend your Privacy Notice, we have templates to help you. Remember to cover what information is being collected, who is collecting it, how is it collected, why is it being collected, how will it be used, who will it be shared with?
Get some of the basic in-house things sorted out straight away - often data breaches occur down to not putting the simple things in place such as:
staff not trained about data security;
lack of physical security to protect data;
no access control in place;
portable devices not encrypted;
data not being backed up;
not checking that a storage providers are complying with GDPR.
There is a government program entitled Cyber Essentials that you can access to give you a certification or simply advice on how to protect yourself against online attacks.
Additionally, as a data controller, familiarise yourself and staff with the rights afforded to individuals (data subjects) under GDPR (most are subject to conditions):
right access to personal data;
right to prevent direct marketing;
right of rectification and erasure of data;
right to object to automated decision making;
right to claim compensation;
right prevent processing of personal data.
Other things to consider as soon as possible:
Clarify your lawful basis for processing all types of data;
Put a process in place that helps you record and manage consent if you are using that as a lawful basis;
Think about data protection by design and default and how you can build it in to future projects and systems;
Check that you have got contracts in place with third parties who process data on your behalf, laying out specifically what they can and cannot do with the data you submit them.
Do a DPA (DPA self assessment toolkit available through *ICO website.)
*Remember that you can use the ICO (or appropriate authority in your country) for assistance, it is a free service that offers advice with a view to helping people become compliant. These governing bodies exist to help companies become compliant, they are not in place simply to penalise.
