The GDPR is almost here, and many businesses aren't ready for it. Here’s an essential checklist to help your small business prepare for GDPR.

GDPR: It's the most important change to data protection standards in 20 years, the deadline is just three months away, and a quarter of London's firms still aren’t prepared.

The GDPR will apply to many businesses from all locations, in and outside of the EU. The first fines are even expected to hit businesses outside of the EU. It’s all about setting global standards for data protection.

But to those not quite ‘aware or there’ with GDPR, we say: don’t panic.

The GDPR isn't an impending apocalypse. You just need show you’re committed to the ongoing project.  Whatever stage you’re at, here’s an essential checklist to get your small business over the line and ready for GDPR.

Goals and planning

To plan for successful, long-term GDPR compliance before time runs out, here’s what to focus on:

• Assemble: team, timescales and budgets. By 25^th May 2018, you need to show you have made progress. Collaborate with your IT partner and ensure you have the resources and budget to move the project forward.
• Align GDPR with business goals. GDPR empowers your cusomters to take control of their personal data. But it also drives better marketing, accountability, collaboration, trust and security for your businesses’ sake. Maximise compliance and align goals with competitive digital strategy. 
• Communicate to build internal awareness and buy-in. Remember, GDPR is really all about people and building culture. GDPR will empower employees with their data too, so it shouldn’t be too hard to get them to see the impact and benefits of the project.

Roles and responsibilities

Under the GDPR, ‘data subjects’ are the stakeholders you have data on. Be aware of new roles and responsibilities that come with 'data protection by design and default':

• Data Controller. The business or person responsible for processing data.
• Data Proccessor. The business or person processing data on behalf of a data controller.
• Data Protection Officer. An expert in data privacy, as defined in Article 37 of the GDPR. The requirement for a DPO often doesn’t apply to SMBs, but you should check out our blog post to see if you need one.

Data management

Next, think about auditing data and evaluating processes to prepare for GDPR, and ensure your data maintains integrity:

• Data you have on people. You need to make sure you only process data on a lawful, fair, necessary, accurate basis.
• Data storage. IT systems should enable a single source of truth for business data, visual data maps and easy, automated classifying.
• Identity and access. Control access on need-to-know basis, with multi-level permissions, and revoke access when it’s no longer needed i.e. when an employee leaves.
• Access and deletion requests. Data subjects can request access, or deletion of every ounce of their data in a one-month timeframe free of charge. IT needs to enable this, so data can be captured securely and comprehensively.

Privacy and consent

Unlike the Data Protection Act, the GDPR has some rather stringet requirements when it comes to how you gather consent for data collection, and how you ensure customers that their data is safe, secure and private. Focus on:

• Data usage and handling policy. This needs to be clear, honest, accessible and unambiguous.
• Consent policy. Under the GDPR you must seek, obtain and record consent and a positive opt-in from all data subjects.
• Data privacy impact assessment. This is a privacy risk-assessment for business to use around technology and data processing. The ICO have put out some guidance.

Pro tip: if you're not sure that your policy is up to scratch, send it to us and we'll review it for free. 

Proactive IT security

Aside from a risk-assessment to minimise issues, you also need proactive security to fully protect data. Check you have:

• Stringent security. Get an IT security policy, and make sure everyone follows it. Think about mobile and email security too.
• Certificates and documents. Get government-backed certificates like Cyber Essentials . This can only benefit compliance and will establish trust with your customers. 
• Data breach detection and prevention. If there is a data breach, you have to report it within 72 hours of identifying it. So get an IT partner to monitor for, and detect, data breaches and intrusions. 
• Training. At the end of the day, this is the key thing that’s going to help you build a culture of compliance.

Getting off the ground with GDPR: assess your readiness

This checklist will ensure you’re on the right path to GDPR compliance. But if you need more help, give us a call or self-assess your GDPR readiness with our interactive quiz. Click below to get started!