A small business checklist for GDPR

  • 15 Apr 2018

It’s less than two months until GDPR goes live. Here is a checklist of five essential questions you need to answer before May 25th. 


What is your lawful basis for processing data?

There are six lawful bases for processing data, no one is superior to another but at least one must apply to the data you hold. The six are: consent, contract, legal obligation, vital interests, public task and legitimate interests. 



Most are quite self-explanatory but it is imperative that you understand which applies to your organisation and why. 

Do you have/need a Data Protection Officer 

A Data Protection Officer (DPO) is the person in an organisation responsible for monitoring your compliance, advising on your data obligations and should act as the contact point for data subjects and supervisory authority.

You need to appoint a DPO if: you are a public authority; your core activities require large scale, regular and systematic monitoring of individuals; your core activities consist of large scale processing of special categories of data or data relating to criminal convictions. 

What processes do you have in place to deal with “individual rights” requests? 

These are the rights that we covered in our previous post, such as the right to erasure, the right to be informed, the right to object, etc. 
As illustrated in that post you should have processes in place to ensure that requests are dealt with in a timely and accurate manner: delaying could become a major issue, your DPO should be instrumental in facilitating requests. 



How is the data you hold stored?

This applies to data at rest, data in transit and data in use: in all these states how is the personal data you are responsible for protected? 

This is where encryption is king. Even in the event that you lose data or data is stolen, if it is encrypted you do not need to inform the data subject of the breach. You should still inform your local authority, the ICO for example, but they are unlikely to levy fines against you if you have done everything you can to ensure the data is unusable.   

Do you have a plan in the event of a breach?

Hopefully you’ll never have to use it, but you certainly need to have it. Who is responsible for reporting a breach to your local authority? If you suspect a breach has taken place who in your organisation needs to be notified? 

If you have a well thought out plan and you can answer all of the above questions, you have set yourself and your organisation in great stead for GDPR, going live on May 25th.



Request a copy of ESET’s GDPR Whitepaper to learn more: http://landing.eset.co.uk/fsb_blog

Further to this you can use our GDPR Compliance Checker for more detail about your organisations level of GDPR compliance.

Related topics