I am a small business owner and my company use, store and process personal data of individuals and I understand GDPR is applicable to my business but what next?
How do I demonstrate my GDPR compliance.
SME Owner
In the following sections we will run through steps that are required to be taken to start your GDPR Compliance journey:
Identification and Record of the type of personal data
You can protect the personal data only if you know what you are going to protect and where it is located and what you need it for.
It is okay if you have a spreadsheet that records:
-the type of personal data, justification of usage (Processing Purpose in GDPR parlance), duration for which you will use the data.
Please note that you don’t have record each individual piece of information, you are only required to record the type of information.
For detailed understanding of Processing Purposes you may want to read the post on Lawful Basis of Processing.
Letting people know about personal data
GDPR makes it mandatory for the companies to publish a Privacy Notice that contains the following information:
- The name and owner of data protection within your company
- Personal data types you are going to process
- Duration for which you are going to process the data
- Who you are going to share data with
- Purpose of processing
- How the data was collected – from direct interview, or online form etc.
- How can people view and correct their respective data
- How can people complain local Data Protection Authority
- Do you use automated decisions/profiling and publish this on leaflets?
Keep Personal Data for as long as you need
The company should define a policy that include and implement the following:
- The amount of time for which to retain the personal data collected, taking into account the type of data and the purpose for which it is held.
- Once this duration has been established, dispose of the data that has been stored for longer than this period, and ensure that data is not kept beyond the specified time frame.
Personal Data Security
You should have:
- Data Protection Policy that incorporates the procedure on data security:
- Implementation records for the data security
Some of the key points that should be considered are as follows:
- Security via Passwords
- Restricted Server Rooms access
- Data Encryption
- Data Back up
- Log Off Computer when not in use
- Providing information on need-to-know basis
- Identification and Management of Data Breaches
Individual Rights
As responsible data protection business owner you must ensure:
- That employees are adequately trained on all data protection procedures and tools
- That sufficient tools are provided to the data subjects(customers, employees etc) so that they can access the personal data.
- That you provide the requested information to the individual within one month of request.
The policy document, training records, and tool records can be presented as evidence of compliance activities.