Skip To The Main Content

How to prepare for GDPR

  • Blog
  • 12 October 2017

The General Data Protection Regulation (GDPR) comes into effect from 25 May 2018, and is a data protection regulation that your business needs to be thoroughly prepared for. Your data handling procedures may need to change. There are some things that you could do to make sure your business is fully prepared

We’ve put this guide together to highlight some of the things you can do in preparation.

How to prepare for GDPR

What to prepare for the start of GDPR

The new GDPR brings with it eight key rights for individuals, and your procedures and policies may need to be updated and tweaked in order to guarantee that you can follow through on them.

The eight rights for individuals you need to keep in mind at all times are:

  1. The right of access –  Individuals can request access to their personal data free of charge (in most cases) and ask how you make use of it.
  2. The right to be forgotten –  Individuals can ask you to delete or remove  their personal data where there is no good reason for its continued processing..
  3. The right to data portability –  Individuals can transfer or move their personal data between service providers  easily and safely,without obstacles to usability of the data.
  4. The right to be informed –  Individuals must know how you intend to use their personal  data when it is being gathered, and they must freely give their consent to it. Their consent cannot be assumed or taken for granted. There are particular rules around what information you should supply and at what stage you need to supply the information to your customers.
  5. The right to rectification – Individuals are entitled to have personal data rectified if it inaccurate or incomplete. If you have disclosed the data in question to third parties, you must inform them of the rectification. You should also ensure that your customers are aware of the third parties to whom you have disclosed the data, where appropriate.
  6. The right to restrict processing – This means that in some cases individuals can allow you to store their personal  data but can also state that you are not allowed to process that data for any reason.
  7. The right to object – Individuals have the right to object to your usage of their data Individuals must have an objection on “grounds relating to his or her particular situation”.
  8. Rights related to automated decision making and profiling - The GDPR provides safeguards for individuals against the risk that a potentially damaging decision is taken without human intervention. You should identify whether any of your processing operations constitute automated decision making and consider whether you need to update your procedures to deal with the requirements of the GDPR.

Fines under the  existing Data Protection Act have an upper limit of £500,000. Fines under GDPR, however, can be up to €20 million or 4% of worldwide turnover, whichever is higher.

Review and amend what’s already in place

As a result of the new rights of individuals, you may have to alter your current data handling procedures.

For example, a good starting point is to look at exactly what personal data you currently hold, and what you use it for.  Are you collecting more information than is strictly necessary for your purposes? GDPR cracks down on frivolous data collection, meaning you need to only collect and keep exactly what you’ll use.

Think of how any documents you have for customers to sign when taking on your services. Are they worded clearly enough? You may need to rewrite some documents to ensure that your customers know how (and why) you are processing their data, and to comply with the requirements set out in the GDPR.  The information you supply about the processing of personal data must be free of charge, concise, transparent, clear and in plain language.

Additionally, new processes might need to be created from scratchfor certain requests, such as transferring and deleting of personal data – as well as verifying the identity of individuals  before you follow through with those requests.

Consider appointing a data protection officer (DPO)

For most small businesses it won’t be a legal requirement to appoint a data protection officer (DPO). However, it may be beneficial to your business to allocate someone on your team that is responsible for your data obligations.

The DPO’s tasks should include advising the organisation on data protection laws, monitoring compliance, conducting internal audits and being responsible for communication of data breaches.

How FSB can help your business with GDPR

GDPR is a change in how data protection and data handling operates for businesses. It could affect your business in many different ways, from taking on new responsibilities to the additional time and costs you might need to make changes to processes in your company. So it’s wise to use a third-party expert to help do the work for you.

FSB members are supported with advice and guidance to develop simple step-by-step plans to prepare their business for, and maintain, GDPR compliance.

FSB Business Essentials members have access to:

  • Phone advice line to ask questions about compliance
  • Online fact sheets and checklists that cover all areas of GDPR for small businesses
  • Instructional videos, such as an overview of GDPR
  • Third-party insurance

If you’re interested in learning more about how we can help your business with GDPR compliance, please visit our FSB Legal Hub and FSB Cyber Protection web pages. The services are included as standard with our Business Essentials package. Please take a look at our product comparison page to find out about the benefits of this package and our others.