GDPR checklist to help a small business comply

GDPR (General Data Protection Regulation) can seem like a daunting law to consider for many small businesses. This short guide will break it all down into a checklist, so it makes things easier to digest. It is essential for any business to consider, as failing to follow GDPR means that the government can issue hefty fines.

This guide is going to follow a checklist of points to be considered one by one:

• What is GDPR?
• What are the ‘data protection principles’?
• What is personal data?
• What is a breach?
• What is ‘privacy by design’ and ‘consent’?

The General Data Protection Regulation (GDPR) is a law brought in by the European Union (EU) in 2018. It affects any business that collects data on any citizens within the EU. After the UK left the EU, it brought in UK law as the UK GDPR. Despite the change, the fundamentals remain the same. This article will follow the UK GDPR; if you target those in the EU outside of the UK, you may want to look at the EU GDPR.

The UK GDPR may affect you differently if you are a ‘controller’ or ‘processor’.

These are those who make decisions about the purposes or the processing of personal data (this can be a person, agency, authority or body). When it comes to personal data, they have overall control over it and are responsible to ensure that UK GDPR is being followed at all times. The controller is able to gather the information and pass it on to processors to use.

For example

• those who keep an employee payroll
• those who hold emails of their customer’s
• payment providers like Paypal

Those who act on behalf of a controller following their instructions to process the data (this be a person, agency, authority or body). They still have a responsibility to follow UK GDPR, but they are carrying out activities with personal information at the request of the controller. They may have more abilities to use that data than the controller and that is why they are used.

For example

• marketing agencies working for clients
• market research companies working for clients,

When it comes to the UK GDPR, there are two entities that you need to be aware of as a business owner in the UK:

• UK Government — the government, is responsible for laying out all of the rules and regulations of business practice. They pass laws that may affect many industries; it is worth keeping up to date with any changes.
• Information Commissioner’s Office — the independent authority on informational rights ensures that data protection laws are always followed. It reports to the UK government and is funded as part of the Department for Digital, Culture, Media and Sport.

When using personal data, you must follow the ‘data protection principles‘ set out by the government.

• Fair, lawful and transparent — the reason for collecting personal data must be fair, how you gather that data must be legal, and you must be honest about how you plan to use that data.
• Specified purpose — collecting data must be precise, and you must document the purpose for individuals.
• Adequate, relevant and necessary — the data which you collect must fulfil your purpose sufficiently, it must be appropriate, and you must not hold more information than the purpose needs. 
• Not kept longer than needed — must be deleted after purpose has been fulfilled and no longer required.
• Ensured security — must put security measures in place to protect the data from being breached or stolen.

Personal data is any information that can identify someone, either directly or indirectly. 

Some examples according to the ICO (Information Commissioner’s Office) are:

• Names
• Identity number
• Location
• Physical factors
• Physiological factors
• Genetic factors
• Mental factors
• Economic factors
• Cultural factors
• Social identity

According to the ICO, a security breach of personal information can lead to many consequences:

• An unauthorised third party gaining access
• Sending personal data to the wrong party
• Loss or destruction of personal data
• Alteration to personal data

Breaches can be accidental or deliberate and affect either the confidentiality, availability or integrity of the data. When a data breach occurs, the action that you need to take depends on the level of risk to the rights or freedoms of the individuals.

If the breach poses a risk to individual rights or freedoms, you must notify the affected people immediately. If the violation is unlikely to risk individual rights or privileges, then they do not need to be informed, though that must be demonstrated as the case and documented. To seek advice on the risk, you should notify the ICO. 

According to the UK GDPR, it is a legal requirement to put measures that allow ‘data protection by design and by default‘. This means that you should create your processing and business practices with data protection and privacy concerns from the beginning. Everything, whether technical or organisational, should be built around the principles.

To comply with the UK GDPR, you should seek consent from individuals before you collect any personal information, which means that individuals should be able to have the choice over whether or not to give over their personal information. For example, this can mean that an employee signs permission to use their details in the payroll system. Or it could mean that before taking individuals’ emails, they expressly asked whether this person agrees to this.

Following the principles and understanding the practice of the UK GDPR should allow you to have a compliant business that avoids fines.