Post GDPR – what SMEs should be doing one year on from GDPR
It’s almost a year since the EU General Data Protection Regulation (GDPR) came into force. Described as the most important change in data privacy regulation in 20 years, its aim was to update laws that protect the personal information of individuals, and organisations that don’t comply could face heavy fines.
As a small business, you may be thinking that GDPR only applies to big businesses, however, all businesses, including SMEs have a duty to protect their data and the data of other people.
Now in a post GDPR era, we’ve put together a handy checklist for SMEs to make sure you are doing everything you should to ensure you are and remain compliant.
Documented data map
You should have a documented data map that:
1. Details what personally identifiable data you hold. This is any information that could identify a person, such as their name, social security number, mother’s maiden name, date and place of birth. It also includes information that is linkable to the person, such as financial, educational, employment or medical records
2. Explains where that data has come from
3. States where you store the data
4. Lists who you share the data with
5. Says how long you keep the data
6. Justifies the lawful basis for collecting/holding the data.
Documented procedure for data breaches
This should explain how you will:
1. Detect a breach
2. Report it to the Information Commissioner’s Office (ICO)
3. Investigate it – include who in your organisation is responsible for leading the investigation, how they will do it and expected timescales
4. Log it – explain how you will document the breach and results of the subsequent investigation. Include any lessons learned and improvements that could be made to your processes as a result.
Documented procedure for Subject Access Requests (SAR)
People have a right to access their personal data and this is often referred to as ‘subject access’. Requests can be made in writing or verbally and organisations have one month to respond.
You should:
1. Be able to recognise a subject access request and understand when the right to access the data applies
2. Have a policy for recording requests
3. Understand when a request can be refused and the information that you need to provide to individuals when you do so. The ICO has further information on when a request can be refused https://ico.org.uk/for-organisations/guide-to-freedom-of-information/refusing-a-request/
4. Understand the type of supplementary information which should be given in response to a request.
5. Have a process in place which ensures you respond to requests without undue delay and within one month.
6. Be aware that there are circumstances in which the time limit to respond can be extended. The ICO has further information on when the time limit to respond can be extended https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-of-access/
7. Understand that you should use clear and plain language if disclosing information to a child.
8. Understand what must be considered if the request includes information about others.
Documented procedure for staff joining/leaving your organisation
You should have a written process in place that identifies how you will:
1. Ensure unnecessary data is destroyed.
2. Secure systems so staff who have left the company cannot access them anymore.
Review documentation
It isn’t enough to put your documentation in place once and not revisit it. Post GDPR, you should regularly review your processes to ensure they remain functional and accurate.
You should also have, or be working towards, an accreditation that encapsulates it and best fits the needs and size of your SME. Examples include Cyber Essential, Cyber Essentials Plus or ISO 27001.
For more information on how we can help, go to probado.co.uk
