For small businesses who feel overwhelmed with all the attention and threatening articles, here is a very easy GDPR-compliance checklist you can go through.
The EU General Data Protection Regulation (GDPR) is the most important change in data privacy regulation in 20 years. This policy directive was adopted in May 2016 to make Europe fit for the digital age. How does it affect small businesses?
The GDPR brings a lot of extra work for organizations that are considered to process Personal Data. For small businesses who feel overwhelmed with all the attention and threatening articles, here is a very easy GDPR-compliance checklist you can go through.
Technical Leaders - Working with the Management Team
How will GDPR affect small businesses?
1. HowWill GDPR Affect
Small Businesses?
The EU General Data Protection Regulation (GDPR) is the most important
change in data privacy regulation in 20 years.This policy directive was
adopted in May 2016 to make Europe fit for the digital age. How does it
affect small businesses?
By: AllBusinessTemplates.com
May 25, 2018
2. AllBusiness
Templates
The GDPR brings a lot of extra work for
organizations that are considered to
process Personal Data.
For small businesses who feel
overwhelmed with all the attention and
threatening articles, here is a very easy
GDPR-compliance checklist
you can go through.
Understand What is Personal Data
Check if the people in your database have given
consent (from EU)
Perform a Data Protection Impact Assessment
(DPIA)
Create or update external Privacy Policy and Data
Protection Policy
Prepare for Access Requests
Create a “Request to Access Personal Data” Button
or Page on your Website
Explain the changes in the law to your Employees
Check ifYour Suppliers are GDPR-ready
Do I need to appoint a GDPR DPO (Data Protection
Officer)?
5
3. AllBusiness
Templates
3
What is Personal Data?
GDPR is all about the personal data and you
should understand what is considered as
“personal data” under new regulations and
what kind of those that you deal with. Chances
are that you do collect personal data, even if
you are collecting the names and telephone
numbers of your customers, you do collect
personal data. Also, know how do you collect
that data, how do you use them and how do
you store them.
“Personal Data” (PD) means any information relating to an
identified or identifiable natural person (“Data Subject”); an
identifiable natural person is one who can be identified,
directly or indirectly, in particular by reference to an identifier
such as a name, an identification number, location data, an
online identifier or to one or more factors specific to the
physical, physiological, genetic, mental, economic, cultural or
social identity of that natural person Regulation.”
4. AllBusiness
Templates
4
Check if the people in your
database have given consent
(from EU)
GDPR states that all personal data collected requires proof
of consent. “Consent” of the data subject means any freely
given, specific, informed and unambiguous indication of the
data subject’s wishes by which he or she, by a statement or
by a clear affirmative action, signifies agreement to the
processing of personal data relating to him or her.
Direct consent is given for example if you have consent from
your customers to collect their personal data for business
operations purposes, you cannot send them marketing
materials with the same consent.
5. AllBusiness
Templates
5
Perform a Data Protection
Impact Assessment
By performing a DPIA under the GDPR helps an organization
to identify, assess and mitigate or minimize privacy risks with
data processing activities.
They are particularly relevant when a new data processing
process, system or technology is being introduced.The DPIA
Register is a spreadsheet that keeps track of all the data
breaches that have happened and how they were dealt with.
Source: www.allbusinesstemplates.com/template/WZQ23
6. AllBusiness
Templates
6
Create or update external Privacy
Policy and Data Protection Policy
Make sure your website is updated, for example with a Privacy
Policy and a Data Protection Policy that is according to the
new GDPR directive.
Use the definitions from the GDPR, mention the new changes
you will make related to and send a notification to the people
in your database with a request to continue doing
communication.
Source: www.allbusinesstemplates.com/template/ZXRK9/
7. AllBusiness
Templates
7
Prepare for Access Requests
Under the GDPR, all citizens will have the right to have
insight and access to their personal data.
Also to rectify inaccurate data or object to their data being
processed or even completely erase any of their personal
data you hold.You must be able to process such requests
within a prescribed period of time.
8. AllBusiness
Templates
8
Create a “Request to Access
Personal Data” Button or Page
on your Website
Under GDPR, all EU residents will have “Access-request”
right over the companies and organizations that collect their
personal data. Using that right, they will be able to access
their personal data that was collected about them.
Having a clear Request solution as well as privacy and data
protection policy page on your website will make it easier for
you to handle those requests.
9. AllBusiness
Templates
9
Explain the changes in the law to
your Employees
Make sure your employees are aware of the changes in the
law. Send them a brief memo with topics that are relevant to
know. Explain possible responsibilities for employees that
came with the introduction of the new GDPR directive
regarding compliance
They should be able to notify responsible persons in your
organizations in case of data breaches or other violations.
10. AllBusiness
Templates
10
Check ifYour Suppliers are
GDPR-ready
Contact your suppliers in time to make sure that the
suppliers take action to prevent data breaches and other
violations.
They need to review their policies and contracts to ensure
that you will not have any sanctions caused by third-parties
and your suppliers.
11. AllBusiness
Templates
11
Do I need to appoint a GDPR
DPO (Data Protection Officer)?
When carefully reading the GDPR directive, you can
conclude it’s not specified when a DPO should be
appointed. A soon to be Supervisory Authority will provide
us with this answer.This will depend on the data intensity of
your company.
Article 37 of GDPR document states that companies and
organizations need to appoint a Designated Data Protection
Officer (DPO) when these conditions are met:
(a) The data processing is carried out by a public authority or
body. Or
(b) The controller’s or processor’s “core activities” require
“regular and systematic monitoring of data subjects on a large
scale” or consist of “processing on a large scale of special
categories of data.”
You might consider appointing a DPO, just to be sure,
but no need to hire one.
12. AllBusiness
TemplatesDo you wish to become GDPR Compliant ,
then you also should check out this free GDPR
implementation planning:
12
NOTICE ALLBUSINESSTEMPLATES.COM | The information in this document is designed to provide an outline that you can follow when formulating business or personal plans. Due to the
variances of many local, city, county and state laws, we recommend to consider professional legal counseling before entering into any contract or agreement. AllBusinessTemplates.com
Source: www.allbusinesstemplates.com/template/BTFMP/
13. AllBusiness
Templates
Do you wish to become GDPR Compliant ?
13
NOTICE ALLBUSINESSTEMPLATES.COM | The information in this document is designed to provide an outline that you can follow when formulating business or personal plans. Due to the
variances of many local, city, county and state laws, we recommend to consider professional legal counseling before entering into any contract or agreement. AllBusinessTemplates.com
Check out: www.allbusinesstemplates.com