• Home
• Information Security - inc GDPR
• IT Review/Health Check
• CMaaS - Computer Management as a Service
• About Us
• External Products
• Contact Us
• Privacy Notice (pdf)

GDPR for SME

This is the summary page from the paper GDPR-TL-perspective which contains all the appendix to which this summary refers. To receive the paper in full or to purchase the associated GDPR toolkit please contact me by sending an email request.

GDPR What you need to do

Starting from before you get the data, you need to decide just what you need and why. This means that you must write a Privacy Statement (see Appendix 2.1) to present to the data subjects so that when you request the data they can give informed clear consent (see Appendix 2.2), which you will then record for future reference. This needs to state how you will use it, and for no other uses. [R32, 39, 40, 42/Article 4.11, 5.1a, 6, 13.1-4]

Having got some data, you need to have a policy and supporting processes to ensure that the data is current, either by the way it is updated or as part of the retention constraints. [R59, 63 /A4.11, 5.1a, 6, 13.1-4] This requires having a Process description of how subjects request changes, including deletion (see Appendix 2.3).

Indeed, there are a whole swathe of details you need to hold about the data, in what we might call an Information Asset Register, which could simply be a spreadsheet! (See Appendix 2.7).

And all that is before you even use the data! When you do so, you need a description of the process you will run (see Appendix 2.4), and to maintain a log of the usage. [R82] However, this is not limited to what you do first hand as whilst you remain responsible for the data, you can use foreign services so long as they are either subject to rules in the listed permitted countries or other suitable conditions. [R22/A45 (see links in notes to A45)]

However, recognition is given both to the correlation between organisational size and capacity for administration [R13/A30 say that the degree of record keeping is less for smaller organisations] and importance for that administration in relation to the sensitivity of the data you handle [R84/A37.1].

The final area to be addressed, and a significant motivator to many for going through all this in the first place, is what to do when it goes wrong. This could be as simple as sending an email with confidential details to the wrong address, accidentally deleting/ disk crash losing important data, or the more publicised events such as being subject to ransomware or a hacker stealing a copy of the data you hold, or for what ever reason, initiated by a data subject lodging a complaint [R141/A77, 79, 82.1, 83.5]. Mitigation is expected both as pre-emptive measures and reactively as an Incident Response Plan (see Appendix 2.5). Within that, there needs to be the instructions on how to notify the authorities and individuals affected (see Appendix 2.6). [R85, 86]

That is the lot. Know what you have got, why you have it, what you do with it, and where you have it, then you can take reasonable care of it, and know when you have finished with it so you can get rid of it. Record that lot and you will be in a far more defensible position when challenged or something goes wrong.