What can you do for your business right away?

1 Start with ICO 12 steps (UK-based), DCPI 12 steps (Ireland-based), CNIL 6 steps (France-based) or the relevant Supervisory Authority of your country to figure out; what data you’re holding, why you’re holding it; if data is secure, relevant, necessary and limited.

2. Run a mini-audit on what systems you are using to store data, where you are storing that data (e.g. Dropbox files are stored in the US) and how you are sharing it. An audit workbook is available with my comprehensive GDPR Smart Guide.

3. Ask yourself the following questions about your business:

  • Do you keep records?
  • Do you have a privacy policy?
  • Does your personnel have clear privacy instructions?
  • Do you have clear agreements between controllers and processors?
  • Do you need to carry out a DPIA?
  • Do you need to appoint a DPO or a representative?
  • How will you demonstrate compliance?

(If you don’t understand the terminology above, please refer back to the earlier blog posts in this series.)

4. Encrypt your phone, PC, laptop and backup storage devices.

5. Make sure your data is secure before you think about sharing it.

6. Use a VPN if you work away from your secure network.

7. Learn the difference between Data Controller and Data Processor. Decide on who is what within your business AND outside of your business (VA, Consultants, Trainers, Associates, etc.)

8. Know where your data is being stored.

9. Create a data policy for your clients, making them aware of the what, where, how, when and who of their data.

10. Review your client contracts and revise so they are compliant.

11. Request clients’ understanding and acknowledgement if not already doing this via signature.

12. Document how you collect, store, maintain, secure and use your client and customer data.

13. Ensure this is included in your Privacy Policy.

14. Ensure your Terms and Conditions are complete and easy to understand.

15. Check that you can ensure the following at the request of a data subject:

  • Right of access (you can show what data is being controlled)
  • Right to rectification (you can update their personal data)
  • Right to object (you apply certain controls over their personal data)
  • Right of portability (you can move/export their data)
  • Right to prevent processing for direct marketing
  • Right to be forgotten (you can delete their personal data).

16. Be open, honest and clear about:

  • Why you need personal information
  • What you intend to do with it
  • Who you may share it with
  • How the individual can obtain a copy.

What you DON’T need to do for your business

  • Buy a course or certification of compliance
  • Buy a “badge” for your website that promises compliance
  • Assume your Accountant, VA, Manager or anyone else involved directly or indirectly in your business will manage GDPR and compliance on your behalf
  • Assume that just because you are not based in the EEA that GDPR does not affect you and your business
  • Interpret the Regulation to suit your own business needs
  • Ignore the GDPR and hope it will go away
  • Not take any measures to secure personal data that you store, control, process or share.

If you can manage all the points above and document your protocols and policies via the GDPR Smart Guide and downloadable audit workbook and checklists, you’ll be well on the way to GDPR compliance.

Ensure you read up on GDPR relating to your country (where your business is located) to get the most up-to-date and accurate information.

Next up is GDPR Part 9 – Data Processing
Previous – GDPR Part 7 – Data Breaches and the Consequences


Please note: The GDPR series of articles on this blog do not promise to be either a full synopsis or full interpretation of the GDPR. Indeed I have simply taken the most important aspects of the GDPR I feel are relevant to the small business owner. Everything you read online about the GDPR will be some kind of an interpretation, synopsis or summary of the GDPR. Unless, of course, you read the full text in itself.

Pin It on Pinterest