GDPR is a hot topic these days and rightly so. 25 May 2018 is the day the new EU General Data Protection Regulation swings into full gear, and with it come hefty fines to those who are found non-compliant.
We’re excited to be GDRP compliant ourselves, and as your small business accountants, we encourage you to take preparations seriously too. With just over two weeks to go, here’s your last-minute checklist to help your small business come to grips with the main points of GDPR compliance.
Your last-minute GDPR checklist
- I’ve conducted an information audit. – You’ll need to do this to identify how you process data within your organisation.
- I’ve mapped and documented my company’s data flows. – You’ve documented the results of your audit, wrote down what personal data you hold, how you got hold of it, who you share it with now and what you plan to do with it in the future. You should also implement an appropriate data protection policy that can demonstrate accountability under GDPR.
- I’ve identified my company’s lawful basis for processing data. – There are six: You can hold information if an individual has given clear consent, if the processing is necessary for a contract, necessary for a legal obligation, or to protect someone’s life. A basis can also be found if processing private information is necessary for you to perform a task in the public interest or legitimate interests. Make sure you clearly document your justification for relying on a lawful basis.
- I’ve reviewed how my company is asking for consent. – You’re asking for it in a transparent and prominent manner. Consent cannot be a precondition for your services, and you must keep records of an individual’s consent. Make sure to emphasise that consent can be withdrawn anytime. For processing the data of anyone under the age of 13, you need consent from a parent or guardian.
- I’ve provided privacy information on my website and in forms I send out. – The information must be short and clear, easy to understand and easy to access. If it’s targeting children, you must make sure it’s written in a way that’s understood by them.
- I know what to do when someone asks to see/change/delete/restrict access to their personal data. – They can ask for this verbally or in writing, and either way you’re obliged to comply with their requests free of charge within 30 days.
- I know that the data belongs to the people, not to my business. – If they ask for it and want to reuse it for their own purposes, they can.
- My business knows how to monitor and regularly review my compliance with data protection policies and data security.
- I’ve trained my staff on data protection.
- I’ve taken technical and organisational steps to make sure data is securely protected.
- I’ve nominated a Data Protection Officer (DPO). – Check with ICO if you’re required to have one and appoint a member of staff.
- I have data breach procedures in place, including a notification process. – If there’s been a data breach, you must notify the authorities within 72 hours of becoming aware of it.
Tax Agility, GDPR compliant accountants
Accountants are known to handle highly sensitive company information, and at Tax Agility, we work hard to ensure yours is kept secure. This means that you don’t need to worry about the privacy of your data while we continue to provide top-notch services to small businesses across London. From accounts and bookkeeping to payroll services, tax planning, tax investigations and more, contact us today to find out what London’s Local Accountants Tax Agility can do for your small business in: Putney, Wimbledon, Fulham, Richmond, Hammersmith and throughout London from our Central London office in Cavendish Square.