With so much publicity on GDPR it can be hard to separate the wood from the trees, and zero in on what is actually relevant.
Planning out a structured response should help the bulk of small firms find life under GDPR not quite as daunting as it may first appear.
As a starting point small firms should consider the following three points.
– What personal data does your firm retain
– Why is the personal data retained
– What does your firm do with the personal data
Ensuring your firm can document answers to the above will go a substantial way towards demonstrating compliance with GDPR.
Reviewing your firms’ position on “Privacy Notices” and “Giving Consent” should be your next port of call. Privacy Notices deal with the lawful basis for processing personal data, the length of time such data will be held, etc. Giving Consent is required to clearly show that consent to use of personal data for specific reasons was freely given, specific, informed, and unambiguous.
Companies (small firms in particular) have finite resources so, plan out what resources your firm can put into GDPR, who will be responsible for overseeing implementation, and timelines for completing the above first steps.
The deadline date for complying with GDPR is May 2018 but, for small firms to best manage resources starting now so that the work programme can be spread over months is practical.