I’ve been monitoring the GDPR situation closely and I’ve got some updates for you, based on my most recent research.
As always, this is based on what seem to me to be the most reliable sources of information available. I am not a GDPR expert, just a very interested business owner who wants to ensure compliance for herself and her clients.
The most useful source of information I have found recently is the self-assessment checklists which the Information Commissioners Office (ICO) have put up on their website. They are very clear and relatively concise considering the complexity of the subject matter. I think they’ve done a great job of making it as clear as it can be and I’ve used these myself to ensure I am fully compliant before 25th May 2018.
There are two checklists, one for Data Controllers, the other for Data Processors. We are all familiar with these terms from the Data Protection Act legislation.
I’ve checked the two lists against each other. If you are a Data Controller, as most small business owners will be, then completion of all the requirements of the Data Controller checklist will ensure that you will also be able to complete the Data Processor assessment in full without carrying out further work. Great if you are like me and fall into both categories.
You can click for further information on every step of the process to identify the tasks you need to complete for your business to ensure compliance.
These checklists are quite long but you do need to ensure you meet all the criteria. I’ve gone through the checklists and it seems that there are some key documents that you are going to need to have in place for your business in order to ensure compliance.
What you will Need
Privacy Notices – for your website and for your other records
Data Protection Policy
Information Security Policy
Information Asset Register / Information Audit Document
Records showing how consent was gained, and how you will review it. (If you are relying on consent as your basis for processing)
If you have a Business Risk Management Plan then this should be updated to show the Information Security risks under GDPR if it does not already adequately cover these.
For some businesses, you will also need to create Data Protection Impact Assessments.
For businesses handling children’s data, the rules are much more stringent. You will need to meet additional requirements, which are documented in the checklists, in order to ensure compliance.
It looks as though everyone will need to register with the ICO if you have not done so already and the fee structure for doing so will alter from the date the GDPR comes into force. Currently, I pay £35, as do most smaller businesses. From May 2018 it appears that there will be a three-tier system, based on the quantity of data processed and headcount within the business. Tier 1 for the smallest businesses processing up to 10,000 data items will be up to £55. For the largest organisations, the fee could be up to £1000.
It seems that if your ICO registration is due before 25 May 2018, you will pay the original fee for 2018/19 before moving to the new fee structure on renewal in 2019. For those of us whose registration date is after 25th May, the new fees will apply. It’s still not a huge cost for most small businesses when you think that it goes to fund data protection for everyone.
If you would like to get a bit more detail about how the legislation might affect specific areas of your business or sector, this website has some very helpful information on it. https://www.dpnetwork.org.uk This site looks at the practical implementation in more detail and discusses areas where clarification is still needed on parts of the regulations.
As with any new legislation, there will be a period during which the legislation is examined and decisions are being taken about how the legislation will apply and work in practice. However, this site and the ICO site are both great resources to keep an eye on to ensure you remain up to date with the latest information.
The DP Network site is run by Rosemary Smith whose Data Protection credentials are second to none. Rosemary has actually been interviewed twice on the Next 100 Days Podcast with respect to the GDPR legislation. For those readers who like to consume your content on the move, you may find the podcasts useful. Rosemary appears in episode 89 where she provides an update on her comments provided the previous year in episode 29. The podcast is available from The Next 100 Days.org.
There are also a number of videos available on YouTube which address the specific concerns of various sectors and might prove useful for you as well. I have recorded some very general ones myself, and these are available on the YouTube channel here.
There is also a blog post here, which discusses Email Marketing, Subject Access Requests and accountability principles.
Finally, there are a number of workshops being run up and down the country. If you prefer to get your information in an environment where you can discuss the implications for your particular business with a real live expert, then you should be able to find these via Eventbrite, LinkedIn or your sector’s governing body website.