Is Your Business GDPR Ready? Last-Minute Checklist

On 25th May 2018, the EU General Data Protection Regulation (GDPR) came into effect. The EU’s attempt to unify the European approach to data regulation has been covered extensively over the months leading up to the big event and no doubt it will be a topic of intense conversation for many months more.

However, despite the intense media coverage and numerous conversations, some businesses are still not prepared or compliant with the new regulations.

Whether they believe the regulations will not affect them or it being down to simple misinformation, it is vital that every business – no matter how small – becomes compliant now in the early stages of GDPR.

Heavy fines and tough action will not be exacted in the learning stages of the regulation. So, it is far better to ready your business now in the more lenient stages than take the risk of being non-compliant in the long term. There are a number of steps that you can take in order to ensure that your business is GDPR ready:

Does it Apply to You?

This is the big question for many small business owners. Do these regulations still apply to your business if you’re a much smaller fish in the pond? Well, the answer to that is a definitive yes. Any business that deals with the processing or storage of data pertaining to EU individuals must be GDPR ready and follow best practice.

So-called ‘controllers’ and ‘processors’ of data need to define and showcase their role in the handling of data. As such, controllers state why and how all personal data is processed, while the actual processors handle the data. The controller is typically any organisation – from big business to non-profit – while the processor would be an IT firm in most likelihood. A controller is ultimately responsible for their data, meaning they need to be sure that the processor is abiding by data protection laws and ensure they are keeping detailed records of their processing activities. The new GDPR regulations mean that a processor is far more liable than they were under the previous Data Protection Act.

Therefore, if your business either controls or processes EU user data then GDPR regulations absolutely apply to you and your business.

Lawful Processing

To be GDPR ready your business needs to be able to prove that it is lawfully processing all data it holds. Lawful processing has a number of meanings; it includes that the user has consented to you holding their data; you are being compliant with any legal or contractual obligation you may have; that processing the data is in public interest; or the controller has a legitimate interest to process the data (i.e. to prevent fraud and not just to sell something to the user). One of these must apply to justify processing the data.

All of this must then be completely transparent to the data subject and all data must be deleted once it is no longer required.

Gaining Consent

Typically, your business will need the user to ‘opt-in’ to you holding their data. This is an active affirmation by the subject of your data, instead of passive acceptance or forced acceptance that has been the norm under current models. Once you have this consent, as a controller you must keep a dedicated record of how and when you gained it.

You must also be aware that at any given time a data subject can withdraw their consent and you must remove them from your database. This is known as the ‘right to be forgotten’ under GDPR legislation. If a subject exacts this right, then a data controller is responsible for deleting their data and informing other parties to do the same if they had shared it.

Last-Minute Checklist

Still not sure if your company is GDPR ready? This checklist is the information you need to showcase to prove you are compliant:

• What data do you have? Why?
• How have you collected this data?
• Where is it stored? How?
• How is the data used?
• Do you share this data with third parties? Why? What data?
• Who is responsible for the data and the processing thereof?
• Is there a data retention and deletion plan in place?
• Do you have the appropriate technology to process and store data?

In light of these changes, it is important to note that GDPR isn’t out to get businesses. It has simply been put in place to protect the individual more and force more transparency when it comes to user data. So long as you and your business comply with these regulations, you should not have difficulties when it comes to facing the new data protection laws.

If you need more information, the Information Commissioner’s Office has a number of resources available to help your data self-assessment prior to becoming GDPR ready.