What do you need to do to become GDPR compliant?

Release date: 2020-01-15
Topic: GDPR

GDPR Compliance Help Checklist - Serity for SMEs


GDPR compliance is very difficult to prove for smaller businesses and SMEs.  Serity guides you through your own audit like a GDPR compliance checklist.  Are you a compliance manager or Data Protection Officer for an SME or small business? 

Do you know what you’re supposed to be doing for your GDPR compliance, practically? How many of the ten points (in no particular order) below do you have covered?  Read on, try the Serity demo, sign up for Serity, and get GDPR compliant today! 

1. The Data Protection Officer and Supporting Structure


Have you appointed a DPO? Do you know if you need to appoint a DPO? Smaller businesses have battled with this question, especially quantifying what ‘large scale processing’ means in their context. Querying the Data Protection Commission has resulted in some rather ambiguous answers leaving it up to the business to ultimately decide whether a DPO should be appointed. If you feel you are not required to appoint a DPO in an official capacity, you should at the very least have appointed somebody in your business to be the GDPR data protection or compliance lead. Further to this, you should have established a GDPR data protection committee (size dependent on your organisational structure) to support the DPO or lead in their role and ensure the GDPR data protection policies in your business are being heard, understood and adhered to.

2. Awareness and Training

Make sure that every person in your business from top to bottom and side to side has at the very least experienced a GDPR data protection awareness training programme. Further to this, any person in your business who is required to abide by policies and procedures should be trained on those specific policies and procedures. And, further to this, you should have at this stage conducted an assessment on your business to determine who needs specialised and specific data protection training relevant to their position in the business. Everybody in the business should know what the procedure is for "subject access requests" (where data subjects exercise their rights) and incident or data breach management.

Interested in GDPR data protection training?  Join us on a practical Serity workshop.  Click for more details.

3. Data Subject Rights

Do you know what GDPR data protection rights a data subject enjoys? Are you equipped to deal with those rights? There is no exemption in this regard for smaller businesses. You will have to deal with data subject rights whether you want to or not. GDPR data subject rights are intricately tied up with your Article 30 records of processing activities (ROPA), the legal basis you process on and the policies and notices you have drawn up and issued. Be aware, especially when identifying the basis for processing, always of the rights your data subjects enjoy and ensure there is a clear and accepted procedure for dealing with these rights within the required time frames. Also, don't forget, you cannot initially levy a fee or charge money to process rights requests.  If in doubt as to whether you can meet your obligations in law, simulate an exercise within your business.

4. Incident Management and Data Breaches

Your GDPR incident and data breach management procedure should be so tight right now that if Harry Houdini were inside the flow, he would not find a way out. Do you know what constitutes a mere incident and a reportable data breach? And by reportable, I mean reportable to the Data Protection Commission and reportable to the data subject? Do you know what measures you can take to protect data should it be involved in an incident or breach? How long would it take you to find out about a data breach in your business? Knowing where all your data is, who manages your data stores and the security measures attached to each data asset will go a long way to helping you here. Again, if in doubt as to whether you can meet your obligations in law and very specifically here that you meet the 72-hour reporting requirement, simulate an exercise within your business.

5. Article 30 Records of Processing

You will most likely be required to keep Article 30 records of processing activities (ROPA) no matter the size of your business. If you engage in processing that is likely to result in a risk to the rights and freedoms of data subjects, processing that is not occasional OR processing that includes special categories of data or personal data relating to criminal convictions and offences you are required to keep these records. Note especially the second point: processing that is not occasional. This means any regular data processing activity occurring in your business.  In practice this would mean HR processing or customer information processing, usually.  There is no official or prescribed format for these records, so you are permitted to keep records in a manner that suits your business.

6. Policies and Notices

Do you have an up-to-date and adequate GDPR data protection policy for your business? Have you aligned your GDPR data protection and privacy notices to your GDPR data protection policy? If your data subjects include children,you must write the notices in such a way that they will understand them. Are you serving your notices correctly to your data subjects and making every effort to sign-post to them at data collection points? If they are long and unwieldy, try layering the notices. Again, there is no set format or template for these documents, however, there are essential elements that must be included, and you should be writing them in clear and plain language.

Feeling overwhelmed?  Serity guides you through your GDPR compliance obligations step-by-step in plain language.  Sign up today.

7. International Transfers of Personal Data

We will assume that you have a fair idea of the data flows within your business as well as the data flows in and out of your business. If any data flows involve the international (out of the EEA) transfers of personal data, are you certain of the mechanism under which you are transferring the data as required by the GDPR? Are you relying on an adequacy decision? Are you relying on one of the other nine measures available? Are you aware of what is considered an exceptional measure?  And, have you documented all the above?

8. Data Processing Agreements

Data flows will reveal to you whether you are the data controller, joint controller, data processor or third party. Every link in this chain should be covered by a written agreement called a data processing agreement that is compliant with current law and that is kept up to date as the relationship and data practices change. Every one of these written data processing agreements should contain appropriate security and other data protection safeguards. Further, these data processing agreements need to clearly outline where responsibilities and liability lie. The Irish Data Protection Commission states that informal and ad-hoc arrangements will not be acceptable, where personal data is involved.

9. GDPR Data Protection and Privacy Programme

All the above contribute to a formal GDPR data protection and privacy programme within the business. The GDPR is here to stay. The GDPR should be discussed at your meetings. GDPR compliance should be considered when entering into new relationships in business. The GDPR must be considered at the beginning of all your projects, sometimes in the form of data protection impact assessments, or DPIAs, and all current projects need to be examined through the lens of the GDPR. The GDPR needs to be infused into business as usual. The GDPR is your new way of life. Make friends with it and be surprised at the positive effects. Deals happen easier when you can prove your compliance, your business has a lovely spring clean, you’ll likely discover a few redundant on-going contracts that can save you money when cancelled and your employees feel confident in their roles.

10. Audit Readiness

Which brings us to the last point, being ready for a GDPR data protection audit. You can call for an independent audit on your business or you can make use of Serity to do the audit yourself. You might be required to undergo an audit prior to a business deal being approved in which case you can use your Serity GDPR compliance report to show your GDPR compliance status. If you are a data processor, more than likely you must agree to regular or periodic audits on your business by data controllers who may wish to satisfy the veracity of your claims.  Again, you can use Serity to show data controllers where your compliance risks lie and how you are dealing with them. You also might face the reality that the Data Protection Commission has chosen your business for an audit. Are you ready for that? The Serity report will help you to show that you are on top of your GDPR data protection compliance programme. 

Serity will help you with your GDPR compliance and particularly your audit readiness.  Experience a demo with our support partner, ProPrivacy, or try it out yourself.  If you need assistance with any of the above, we are here to walk with you down this road as a partner and helping hand.  Get in touch!