Checklist for SMEs for GDPR compliance
•
7 likes•6,835 views
If you are in the UK and need to check that you will comply with the General Data Protection Regulations when they come into force in May 2018, this checklist might help. Developed for use in my own business it is shared without liability. Please use it wisely to start the process of complying. For more information on making your processes and your legal documents simple, especially if you are in the UK construction industry, go to http://500words.co.uk/
Recommended
More Related Content
What's hot
What's hot (20)
Similar to Checklist for SMEs for GDPR compliance
Similar to Checklist for SMEs for GDPR compliance (20)
More from Sarah Fox
More from Sarah Fox (20)
Recently uploaded
Recently uploaded (20)
Checklist for SMEs for GDPR compliance
- 1. GDPR AUDIT CHECKLIST FOR SMALLER BUSINESSES © 500 Words Ltd, 2018. You may share only provided you keep this notice. You have no licence to adapt. Please tell us if it needs changes. Page 1 Topic Action Y/N/DK Evidence/action GDPR Requirements 1. Awareness Is everyone aware of GDPR? Read ICO 12 Steps Train staff on GDPR Have you identified possible compliance issues? You should ensure suppliers are GDPR- compliant by asking them to confirm their security measures. Check contracts include requirements in Article 28(3). Do you have records of the audit? Have you completed due diligence on your supply chain? 2. Information audit What personal data do you hold? GPR requires you to maintain records of your processing activities. GDPR requires you to show how you comply (accountability). Article 9 defines sensitive data. Is it any of it sensitive data? Where did it come from? Where is it stored (device & location)? Is it encrypted? Who do you share it with? 3. Communicating privacy info What does your privacy notice say? GDPR requires you to explain your lawful basis (see 6) for processing data, your data retention periods and the individual’s rights (in plain language). See ICO Privacy Notice Guide Do you need to update your privacy notice for GDPR? Is your privacy policy on your website? Do you need to update your T&C for the new data regulations? 4. Individuals’ rights Do your data policy cover all rights individuals have? GDPR gives these rights to individuals: the right to be informed the right of access the right to rectification the right to erasure the right to restrict processing the right to data portability the right to object the right not to be subject to automated decision -making including profiling Does your data policy need updating? Do you delete personal data? Do you provide data electronically or in a commonly used format? 5. Access requests Do your procedures allow you to (1) handle requests for information in the new timescales and (2) provide the correct information? GDPR gives a month to comply (was 40 days). Mostly compliance is without charge.
- 2. GDPR AUDIT CHECKLIST FOR SMALLER BUSINESSES © 500 Words Ltd, 2018. You may share only provided you keep this notice. You have no licence to adapt. Please tell us if it needs changes. Page 2 Topic Action Y/N/DK Evidence/action GDPR Requirements 6. Lawful basis What is the lawful basis for your processing of data? Lawful bases for necessary processing are: Clear consent Contract Legal obligation eg as employer Vital interests (protect life) Public task Legitimate interests See ICO Guide on lawful processing Do you have fair processing notices? Where is that stated? Have you updated your privacy notice to explain it? 7. Consent Have you reviewed how you seek, record and manage consent? Consent must be freely given, specific, informed and unambiguous. It cannot be inferred from silence, inactivity or pre-ticked boxes. Do not rely on implied consent. Separate consent requests from other T&C. Simplify unsubscribing. See ICO Consent Guidance If someone joins your email list do they know the content you will send? Can you prove their consent? Do your existing consents meet the GDPR standards? Free choice + positive opt-in Can they unsubscribe easily? 8. Children Does your data verify the ages of individuals? GDPR requires specific protection for children’s (below 16YO) personal data and requires parental consent if a child. Your privacy notice should be understandable to children. Do you need a procedure to get parental consent? 9. Data breaches Do you have procedures to (1) detect, (2) report and (3) investigate a data breach? GDPR requires you to notify breaches to ICO if it is likely to result in a risk to rights and freedoms of individuals within 72 hours. 10. Privacy Impact Assessment Has everyone read the ICO Code of Practice on Privacy Impact Assessments? GDPR requires privacy by design. You may need a Data Privacy Impact Assessments. See ICO PIA Guidance Do you know how & when you will implement any DPIA? 11. Data Protection Officers Do you need a DPO to check compliance? GDPR requires a DPO if you are a public authority, carry out large regular monitoring or large scale processing of specific personal data. Who is our DPO (or equivalent)? 12. International If you work across EU member states, who is your lead data protection supervisory authority? Lead authority is where your main establishment is.