GDPR Checklist for SMEs

Approaching a GDPR compliance project is a daunting thought – it involves the entire business and beyond, especially when you consider data transfers to your supply chain and wider business partners.

Thanks to our experience of providing guidance to over 150 organisations, we can provide you with a simple step-by-step checklist of how to devise a comprehensive GDPR project.

There are just 8 simple steps to follow!

Step 1:

Assign internal responsibility – having just one person in charge of the project means your compliance effort will progress with measured effect.

This individual should have an eye for detail and a good knowledge of the whole business operation and be senior enough to have confidence to request budget for the task – it will be required.

Step 2:

Assign budget. At this stage, it will be a guess as to how much is required. Consider a spending limit per quarter and aim to complete a project per quarter over 12-month period. Bear in mind, you will need to consider external help and may need to make changes to your IT operating systems and provide staff training.

Step 3:

Find help. Unless you have a good knowledge of data protection principles and how to conduct an (honest!) internal data flow audit, you are recommended to seek professional help at this stage.

Not only will our specialist data privacy auditors know exactly what they are looking for, they will know what questions to ask in order to find it – and fast!

While it might take you a whole week to complete an audit of your own business, we can audit a business with up to 5 departments in just one day – and the audit report will be detailed enough that you know EXACTLY what your priorities are.

A typical audit on a small business can be conducted by our team for as little as £1,900.

It’s worth mentioning we also include data protection training for all staff at the start of the day… an added bonus, and essential to your data protection programme.

Step 4:

Delivery of our audit report. All clients receive a summary of our discussions with each department. These are coded by RAG status – Red, Amber, Green.

Red = a potentially serious breach of the GDPR. This is critical and needs to be addressed immediately. Failure to do so, would put you into Top Tier fine - €20 million, or 4% annual global turnover.

Amber = a potential breach scenario – needs to be addressed but can be scheduled into your future remediation project. Failure to ignore it however, would qualify for Lower Tier fine - €10 million, or 4% annual global turnover.

Green = based on the information we have, this activity satisfies the demands of the GDPR.

We also deliver an Executive Report, which is aimed at key stakeholders of the business. In this, we summarise our thoughts on the maturity of the business from a data protection viewpoint and confirm the main challenges faced by the business in your quest for GDPR compliance.

The report will summarise the main remediation tasks you need to address in the first phase of remediation.

This report can usually be delivered to the business inside one working week of being on site – probably quicker and in much greater detail than most businesses can audit themselves!

Step 5:

Plan your remediation activity. This should be based on the key aspects in the audit report. It is recommended that the business remains in control of this process.

Our privacy specialists can provide whatever guidance is required at each stage, however by doing most of the work yourselves, you become less reliant upon external consultants and more self-sufficient.  We are always available for support, however!

Step 6:

Review the structure of the business – if your processing activities mean you are in scope for an internal DPO (Data Protection Officer, then this role must be assigned to someone. Due to the skillsets required, most SME’s won’t have the resources or budget for a DPO, as experience of European data protection is required – it can’t just be handed to the office manager.  See our DPO Services section for guidance on this.

Step 7:

The business will need to change to meet its obligations. Areas such as staff training, data subject requests, supplier due diligence and contract reviews will need focus on – these are all areas that could expose you and cause you to fail your obligations as data controllers.

Step 8:

The GDPR journey is likely to change at times with new legislation being announced, updated, or challenged in the Courts, so you will need to constantly review your efforts and ensure you are on the correct path.

A good way to do this is to establish a data governance team that is led by the person overseeing the project. That way, it becomes a company-wide effort, embracing a privacy culture – rather than just one person flying the flag on their own. Again, our specialists can provide regular updates and interpret what changes in the legislation mean to the business.

It may even help to make a list of all the processing activities the company has stopped in recognition of your obligations as data controllers – to demonstrate the changes that have been made.

How Much Will This Journey Cost?

This depends on the size of your business, the complexity of your processing activities and your preparations to date.

Without knowing specific detail on your business, it’s impossible to know, but our fees for an initial GDPR gap analysis / audit are as little as £1,900 – that will at least start you on the right track.