GDPR Compliance checklist for the SME
Use this GDPR Compliance checklist to confirm you have all bases covered. You will find more details on each of the GDPR compliance checks by following the links within.
Table of contents
- 1. Assign a Privacy Coordinator
- 4. If you set cookies, use a cookie popup
- 5. Direct Marketing must mention the source and provide an opt-out
- 6. Maintain a GDPR Register
- 8. Are you using special category data?
- 9. Review security practices
- 10. Operationalise GDPR Rights
- 11. Privacy awareness training for all staff handling personal data
- 12. Breach reporting
- 13. International considerations
- GDPR compliance summary
1. Assign a Privacy Coordinator
Firstly, we recommend on our GDPR compliance checklist, to get someone on point when it comes to GDPR compliance.
Therefore, for smaller firms, it is highly recommended to have a colleague, or specialised external firm, on point to organise the firm’s GDPR compliance, without calling it a DPO (to avoid the stringent requirements that go with it). Ultimately, small and medium sized firms often appoint a GDPR coordinator and the regulator encourages firms to do so. It also brings focus to the efforts, while additionally providing the firm with a single point of contact for the outside world, to turn to in case of questions or challenges.
Only organisations that operate large scale processing of personal data, are required to appoint a formal Data Privacy Officer (DPO). Ultimately, GDPR puts explicit requirements on the DPO function, in order to safeguard its independence.
Furthermore, read more about this in the following article by clicking this link.
Meanwhile, one of the core requirements to GDPR is the obligation to inform data subjects on the firm’s data usage, and associated privacy position and arrangements. Only when those interacting with your firm are duly informed, they can ultimately, make an informed decision as to whether or not they are willing to enter into business with your firm. Just copying and pasting a privacy statement from the internet is likely to cause more harm than good. GDPR requires your communications to be specific to the way the firm operates. Boilerplate or catch all statements, vague or overly complex legal jargon is explicitly stated as non-compliant in the GDPR regulation.
- Clear statement of responsibilities: who is the data controller, who is the data processor and who is your key contact for GDPR.
- List the processes that touch personal data e.g. client intake, invoicing, staff remuneration, newsletter etc.
- For each of the processes, make sure you capture its business purpose, its GDPR legal basis and the data items used. Also, outline how long you will retain the data.
- List the processes that share personal data, and whom you share data with e.g. data you share with your accountant, IT support partner etc. or through the use of cloud platforms e.g. Facebook, Mailchimp, Stripe etc.
- If your firm uses social media, make sure to warn users that social media platforms process their personal data, and mention your firm and the platform are likely to be considered joint data controller.
- List the GDPR data rights your users have and how they can exercise those.
- State how users can contact you and, if needed, raise a complaint with the relevant authority. Do note that the regulator recommends you establish a dedicated communication channel for all privacy related matters. So avoid reusing firstname.lastname@example.org and set up a dedicated email@example.com mailbox.
4. If you set cookies, use a cookie popup
This fourth item is what a lot of people associate GDPR with, the dreaded cookie popups!
Cookies typically save information that can be attributed to you as an individual, in other words, process your personal data. GDPR demands that all firms provide transparency on why and how your personal data is being used, and as a result, before firms can save a cookie they need to ask for your permission. Basically, these cookies might feel annoying, but do give every one of us the opportunity to control what we allow and what not. We might, for example, not want to allow being tracked across the internet.
As a website owner, you should reflect as to whether you could not do without cookies. Chiefly, do not just have cookies because your website came with them, or because most other websites seem to use them to track visitors. Our own website, GDPRWise.eu does not have any cookies. Privacy is a serious matter (and a human right, mind you..). So make a well informed and conscious decision about it. Our knowledge base can help here.
5. Direct Marketing must mention the source and provide an opt-out
Identically, this fifth item on our GDPR compliance checklist seems pretty straightforward, but does require discipline to get right.
Therefore, the first requirement here is to reveal the source of the personal information to the recipient. Either the personal data of the recipient was obtained directly from the recipient, or indirectly from another source. Indeed, core to the GDPR regulation is your duty to inform and provide transparency around the processing of personal data, so the source of any personal data needs to be captured. This requires you to have the right processes, and discipline in place, to an all-time record the origin of personal information.
At the same time, direct marketing emails must offer recipients a way to opt-out of any such future communications, in order to be compliant with GDPR requirements. Generally, this is typically achieved by adding an opt-out link or button at the bottom of the email, so the recipient can unsubscribe from your mailing list. Most marketing platforms (e.g. Mailchimp) offer the opt-out functionality by default, so it should be very easy for you to comply with this requirement. The hardest part is to ensure that those individuals are no longer receiving those type of communications, going forward. Likewise, this requires you to have the right processes and discipline in place. Moreover, do note that users that have unsubscribed and subsequently still receive similar marketing communication might very well launch a complaint with the regulator. The regulator has already issued fines for failure to meet with this GDPR requirement!
Obviously, direct marketing has been a source of annoyance with many consumers, and most national regulators have made great efforts to better inform and educate their audiences, by publishing guidelines. So do check your national data privacy authority website for guidelines. As an example you can find the guideline here for Belgium.
6. Maintain a GDPR Register
This sixth item on our GDPR compliance checklist is one the regulator will ask for if they come knocking on your door.
GDPR requires all firms to maintain a ‘record of processing activities’, often referred to as GDPR Register. Your GDPR Register must contain a list of all processing your firm undertakes, on any personal data. The personal data could be those of your customers, staff, suppliers, partners etc. Everything should be included in the Register. You should maintain separate registers for those activities where you are the Data Controller, and those where you are a Data Processor.
Do check your national data privacy authority website for guidelines on format of the register, and information to be included.
Alternatively, you can join GDPRWise as you can generate your GDPR Register in a single click, once you have validated the filled-in dossier we have created, based on your industry sector and country of registration.
This seventh item is often overlooked. However, GDPR related challenges often arise from broken off staff relationships. Also, this should be firmly on your radar to get right.
8. Are you using special category data?
The eighth item on our GDPR compliance checklist makes it very clear that all data elements are not equal under GDPR.
Some data is particularly sensitive, and as a result, requires additional safeguards to ensure its protection.
This Special Category Data covers items that:
- disclose racial or ethnic origin
- reveal political opinions
- expose religious or philosophical beliefs
- show trade union membership
- is genetic data
- is biometric data
- is related to an individual’s health
- is concerning an individual’s sexual orientation or activity
Because these data elements are particularly sensitive, a company must have a legitimate and lawful reason for collecting, storing, transmitting, or processing this data.
Companies are prohibited from collecting, or processing, this data unless:
- Explicit consent has been obtained from the data subject; or,
- Processing is necessary, in order to carry out obligations and exercise specific rights of the data controller, for reasons related to employment, social security, and social protection; or,
- Processing is necessary to protect the vital interests of data subjects, where individuals are physically or legally incapable, of giving consent; or,
- Processing is necessary for the establishment, exercise, or defence of legal claims, for reasons of substantial public interest. Also, for reasons of public interest in the area of public health; or,
- For purposes of preventive or occupational medicine; or,
- Processing is necessary for archiving purposes in the public interest, scientific, historical research, or statistical purposes; or,
- Processing relates to personal data which are manifestly made public by the data subject; or,
- Processing is carried out in the course of its legitimate activities with appropriate safeguards. This can be by a foundation, association or any other not-profit body with a political, philosophical, religious or trade union aim. This is also on condition that the processing relates solely to the members, or to former members, of the body or to persons who have regular contact with it in connection with its purposes. Additionally, the personal data can not be disclosed outside that body, without the consent of the data subjects.
Personal data that relates to criminal offences and convictions aren’t included, but there are separate processing safeguards in place. GDPR Article 10 will give you more information on this.
9. Review security practices
Item number nine on our GDPR compliance checklist is a real headache for most large firms given their footprint, but for the small and medium sized firms, this should be very doable.
No privacy without appropriate security measures. For example, we are sure you will agree that you can not guarantee the privacy of your customers’ personal data, if their data is stored in an online file, that is accessible without a username or password. In other words, privacy and security go hand in hand.
Important to note is that security is not one thing, but a collection of approaches, practices and measures that are only as strong as their weakest link. We have created a knowledge base item Data Security – what to consider for your benefit. The associated knowledge base items also include practical tips, such as a list of questions you can put to your IT support partner.
Therefore, when you are up to speed with the basics on data security, you and your IT support partner are advised to leverage your GDPR register, and to work through the list of systems being used.
As a minimum you want to review the below aspects:
- Is the physical security appropriate?
Is the system in a physical location that is appropriately safe and secure? For any systems that are world-renowned cloud systems (e.g. Microsoft.com, Shopify.com) the answer is mostly Yes and evident by the security certifications they have obtained and published. For any systems your firm hosts, you want to make sure you have measures in place. This is to ensure that only appropriate people can access the premises, office, shop server room, filing cabinet etc. For the inevitable paper documents most firms still hold, we have created a dedicated knowledge base item, Data Security for paper documents.
- Is the system & software security appropriate?
Do check out our dedicated knowledge item, Security for systems and software – principles to further explore this topic. There are a number of aspects you should review and measures you can apply. Some examples here: do all systems have the latest security patches applied? Do all systems have appropriate access control enforced? Where possible, do you have two-factor authentication enabled? Does the system enforce strong passwords? Can we remove or hide data items we do not use, in line with the GDPR data minimisation principle?
- Is data security appropriate?
For the SME, there are two core aspects to check here: backups and data encryption. Confirm that systems are backed up and that those backups are in a safe place. At the same time, you want to test from time to time, that a restoration can successfully be executed. On the data encryption side, confirm that all personal data is encrypted, both at rest and in transit. Also, do check out our dedicated knowledge base item, Data Security – what to consider? for more information.
- Are all measures regularly reviewed?
Ultimately, your security defences need regular review and updates. This not only holds true for your equipment and infrastructure, but also for the humans operating and using those. We want to emphasise the importance of not overlooking the human factor as it has been proven over and over again, to be the weakest link in a security and privacy defence. Therefore, you need to ensure that the right security & privacy habits are thorough, and applied in the day-to-day running of your business. There are lots of online learning platforms that offer Security Awareness Training and Data Privacy Training, at very affordable prices. Additionally, ensure that all new joiners, and all staff, go through those training courses at least once a year. It is essential to run a secure and privacy compliant operation. It is recommended that you implement a code of conduct, that includes security & privacy, as well as other ethical business practices.
10. Operationalise GDPR Rights
This tenth check on our GDPR compliance checklist should be pretty straightforward to implement.
The GDPR regulation stipulates that data subjects now have rights that they can exercise, with respect to the processing of their personal data. Similarly, the most well-known ones are probably the right to access and the right to be forgotten. Surprisingly, there are in fact 9 of those rights and they are outlined in our article GDPR Data Subject Rights.
11. Privacy awareness training for all staff handling personal data
In the data and technology space, the human factor is often overlooked. Make no mistake about it, this eleventh check in our GDPR compliance checklist is as important as any other item, if not more.
Over and over, humans have proven to be the weakest link in security and privacy defence. You can implement the best security measures throughout. However, if a colleague clicks on a link in a malicious (phishing) email and, unknowingly, goes to a fake website, where his or her corporate login and password are stolen, your security defences are at risk. Similarly, it is by human error, that someone puts all your customers in CC rather than in BCC, by error sends a medical file to the wrong patient.
One needs to ensure that the right security & privacy habits are thought, and applied, in the day-to-day running of your business. It is recommended that you implement a code of conduct that includes security & privacy, as well as other ethical business practices. There are unsafe practices in most firms that can easily be addressed, through awareness training. We have created a dedicated knowledge base item on the topic Data Security – the human factor.
12. Breach reporting
The regulator feels very strongly about this twelfth item on our GDPR compliance checklist. It has resulted in quite a number of fines, where firms where found in breach of compliance.
First of all, do note that a breach is not limited to a hacker breaching your network. A breach of security can be the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This can be stored, transmitted or otherwise processed. So a colleague sending a financial report to the wrong client is also a breach, as is losing a USB stick, which contains personal data, or accidentally deletes personal data.
All breaches need to be logged internally in a data breach log, that needs to be maintained by your company. Some breaches need to be reported to the regulator and potentially, even to those individuals affected by the breach. Please refer to our knowledge base item, dedicated to the data breach topic.
13. International considerations
This thirteenth item on our GDPR compliance checklist, is relevant to two types of firms: those based outside the EU but serving the EU market and those with activities in more than one EU member state. Those with touch points to Brexit might want to pay attention as well.
Article 27 of the GDPR Regulation requires any firm based outside the EU, but serving the EU market, to have an EU based representative. In other words, those firms need an EU based Data Rep. The most cost-effective way for SME firms is likely to procure a Data Rep service from a number of commercial offerings out in the market. Also, to approach a EU based law firm to fulfil this role.
For those firms with data processing activities in more than one EU member state, the GDPR Regulation states that the national authority will take the lead in any GDPR matters. This is determined according to where your firm has its main administration, or where decisions about data processing are made.
At the time of writing, Brexit is only one month in, and the withdrawal agreement stipulates a maximum 6 months grace period, where nothing changes. If and when there is an update, this check will be updated.
GDPR Compliance summary
GDPR compliance might sound scary, but trust us, it is not that hard. It does require some dedication to the topic. After all, privacy is a human right and you, as much as anyone else, want organisations to treat your personal data with the care it deserves.
The information provided here is not legal advice and can not replace legal counsel for your specific needs. Some information outlined might not apply to you, or apply very differently. Please consult your legal counsel to ensure you meet your legal obligations.