Summary of advice for small businesses to become compliant with the General Data Protection Regulation.

For many small businesses, especially sole-traders and Limited Liability Partnerships, it may only be necessary to produce and publish a clearly defined Data Protection Policy in order to be compliant.

However, merely declaring a policy will be deemed to be insufficient in the event of an investigation (which is only likely to happen following a data breach / compromise) unless there is hard evidence that adequate precautions were taken to implement the policy, including protecting all data that falls within the scope of GDPR – namely data that identifies a person either directly (full name, address, or photograph) or indirectly (IP address + Facebook handle and / or + characterisation of an individual).

Many businesses may perform their own internal audit of the data they hold on their clients (potential and actual) and do not need to employ a third-party to conduct such an audit. However, data protection is a specialist topic and it may be prudent to employ such an expert, especially if the volume and type of data held warrant it.

Note that any personal details held by a trading business is subject to the GDPR – this includes data held in hardcopy or electronically either on any electronic device (including: PCs, laptops, tablets, smartphones etc), or on a central server, or 'cloud' server. 

Data held in hardcopy does fall within the terms of GDPR, but in many cases compliance may be achieved by defining, implementing and publishing a simple Data Protection Policy that embraces handling hardcopy so long as it is adhered to. However, where maintaining secure control of hardcopy is deemed to be difficult or unworkable, it may prove necessary to convert documents to electronic format either by scanning, or being input into a database or similar electronic format (and subject to a Data Protection Policy), and then to physically destroy the original hardcopy.

How to perform your own GDPR audit

The following steps are the suggested minimum actions that are performed for a business owner who wishes to undertake their own GDPR audit:

1. Perform an audit of where and what personal data is held across all business systems.

2. Determine exactly what information is vital to the business and devise a plan to minimise the amount of information stored about each client, particularly any data that may be regarded as sensitive: For example, virtually no business needs to hold date of birth data of its clients (only HMRC, doctors and banks need this data – the likes of Vodafone and Airbnb DO NOT need this data) – there might be some good reason why a business might need to know someone's age, such as age restricted or age related products, but the actual DOB is not needed. An employer will need DOB when registering the employee, but the recruitment agency need only ask for a declared age (and even  then, it could be construed as going against the age-discrimination act), but not DOB. Sensitive personal data encompasses genetic data, information about religious and political views, sexual orientation, etc. 

3. Eradicate (erase, delete or destroy) all extraneous data.

4. Collate and store the data that is vital to the business in a single database (with back-ups, obviously). Make sure it is held securely and that access is limited to those who actually need it. Access may also be restricted according to departmental criteria (e.g. the marketing department does not need access to the same data as, say, the customer support or warranty claim departments).

A single database will ensure that

a) any security audit or Subject Access Request [where someone is entitled to request what information a business holds about them] is easier to undertake

b) any additions or deletions are easier to manage without the need to search through many different systems

c) it will provide more accurate and relevant data that is useful to the business,

d) it is easier to implement a Data Protection Policy and prove compliance with GDPR  

NOTE: Bear in mind that the customer-base is usually a valuable asset of most businesses, not only for generating repeat-business, but also if the business is to be sold at some point; consequently, some basic customer data should be retained.
 

5. Once the house-keeping has been performed and all data groomed and protected, the next step is to define a Data Protection Policy that is simple to understand, implement and adhere to by all staff. Every member of staff must be instructed and become fully conversant with operating the systems in accordance with the policy: Experience shows that it is imperative that the system is not overly cumbersome or time consuming to use because staff will always find ways to subvert such systems and the business will no longer be compliant.  

Note also that systems, even with top-level security, have a weak-spot and that is the members of staff who operate the systems: Whether accidentally, or maliciously, data and / or security breaches will occur because of human error. The Data Protection Policy must include an action plan to deal with such events and may include notifying the Information Commissioner (their job is to determine the severity of any breach, and to offer advice on containing the problem, and they may also issue a fine if the breach was determined to be due to wilful negligence). Employment contracts should also be updated to include any disciplinary, suspension or dismissal processes that would apply should an employee be found to be at fault.

6. Publish the Data Protection Policy on the business' web site so that customers and suppliers may be confident that the business is compliant. 

The above is just a brief action plan – there are many other aspects to GDPR that will apply to different businesses: If in doubt, professional advice should be sought.

Other notes about GDPR

• The GDPR includes recommendations that customer data is retained for the shortest period possible to minimise the opportunity for compromise, but this recommendation is often contrary to the success and even survival of many small business.
• Businesses that use social media for promoting their products and services, especially those where customers are encouraged to post pictures of themselves, friends and family members enjoying the delights of the product or service will be obliged to explicitly ask permission for such images to be used on the business' social media site.
• There is a government-appointed Information Commissioner who is responsible for ensuring the GDPR is enacted, and to deal with any data security breaches.
• Data protection breaches may be reported to the Information Commissioner either: voluntarily by an organisation that has detected or become aware that a breach has occurred and self-notifies; or by an affected party (e.g. a member of the public).
• There is no proactive compliance policing in place, only reactive (e.g. when a breach has been reported).
• There is currently no formal certification process in place that an organisation must complete to ensure compliance (neither as a mandatory obligation of the GDPR or voluntarily.)
• There is currently no framework in place to certify third-parties to perform compliance audits of trading organisations.
• Any organisation may employ a third-party auditor, or are free to undertake their own compliance audit, but it must be done.
• Every category of organisation must determine and apply the appropriate level of data protection as set out in the GDPR.
• Many not-for-profit organisations also fall within the scope of GDPR, particularly where they hold personal data about staff, volunteers, donors etc. but the GDPR-compliance obligation may be limited to defining, publishing and adhering to a Data Protection Policy.
• Small clubs, residents' associations and the like should fall outside the scope of GDPR especially if data is not used for commercial gain.

Visit the ICO for the latest news about GDPR

You can keep informed by referring regularly to the Information Commissioner's Office website: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/