GDPR checklist: 8 important things your business needs to know

The General Data Protection Regulation (GDPR) has been the biggest ever shake-up relating to how personal data about individuals can be collected, stored, and used.

This GDPR checklist highlights some key points your business needs to be aware of.

The GDPR goes far beyond previous data protection measures and affects business of all sizes – from sole traders up to the biggest corporations.

Unsurprisingly, businesses still have many questions about GDPR and how it impacts their day-to-day work.

Here are the answers to some frequently asked questions. Got more? Let us know by contacting [email protected]

Here’s what we cover:

1. Does my business have to be “GDPR certified”?

2. Does my business have to undergo GDPR audits or inspections?

3. I run a very small business comprising just myself. Does the GDPR affect me?

4. What are the consequences of breaching the GDPR?

5. How much can the GDPR cost my business?

6. Do I need to appoint a Data Protection Officer (DPO)?

7. My business is not based in the UK or EU. Do I have to comply with the GDPR?

8. My business is not based in the EU. Am I affected?

1. Does my business have to be “GDPR certified”?

No. The wording of the GDPR doesn’t specify or mandate a particular certification system.

It does, however, encourage voluntary certification through industry bodies or organisations compliant with EN-ISO/IEC 17065/2012, and that have been authorised by the relevant supervisory authorities, such as the Information Commissioner’s Office (ICO) in the UK.

While being GDPR-certified is encouraged to provide guarantees relating to technical and organisation security measures, among other things, doing so is of particular importance for third-parties that process data on behalf of others.

2. Does my business have to undergo GDPR audits or inspections?

There’s no requirement within the GDPR for regular governmental audits or inspections but supervisory authorities do have the right to carry out audits as part of their investigatory powers.

But that doesn’t mean self-imposed audits or inspections aren’t worth doing, or even a de facto requirement for GDPR compliance.

For third-parties providing data processing services to others, the situation is a little more complicated.

They’ll have to make all information necessary to show compliance with their GDPR obligations available to the company employing them.

They must also allow for and contribute to audits, including inspections, that the business employing them mandates.

However, it’s not enough to merely comply with the GDPR. Any business must be able to prove it’s doing so. This is known as the “accountability principle”.

3. I run a very small business comprising just myself. Does the GDPR affect me?

Yes. The GDPR affects anybody or anything engaged in an economic activity and processing personal data – and even organisations such as partnerships, charities or clubs/societies.

It doesn’t matter if this entity is legally recognised or not.

4. What are the consequences of breaching the GDPR?

Your business might be fined up to 4% of annual global turnover or €20m, whichever is the greater.

Notably, it’s possible to breach the GDPR outside of having an actual data loss.

5. How much can the GDPR cost my business?

Expenses for an average business can include some if not all of the following:

• An ICO registration fee, payable by organisations that process personal data; this is based on size and turnover, and will also take into account the amount of personal data processed
• Audits of all processes in all departments, ideally by a qualified individual or business
• Modifications such as staff retraining and information technology adaptations
• Potentially appointing and training a Data Protection Officer (DPO; see question 6 below)
• Setting up and maintaining continual documentation processes demonstrating compliance with the GDPR
• Voluntary certification costs, especially if your business processes data on behalf of other companies (see question 1 and question 2 above, remembering that you should only use certification bodies are compliant with EN-ISO/IEC 17065/2012 and that have been authorised by the relevant supervisory authorities, such as the ICO in the UK).

6. Do I need to appoint a Data Protection Officer (DPO)?

Some types of businesses have to do so.

Examples include if your business is a public authority, or your core activities involve the monitoring of individuals on a large scale (including profiling), or you handle data in special categories such as medical data or data relating to criminal convictions and offences.

Your Data Protection Officer could be an existing employee or you might contract somebody from outside your business.

But you’ll need to inform the supervisory authority who they are and they also need to be properly trained.

7. My business is not based in the UK or EU. Do I have to comply with the GDPR?

The GDPR affects any business worldwide that processes the data of individuals in the UK or European Union (EU).

In fact, if you’re offering goods or services to individuals in the UK or EU or monitoring their behaviour, you probably need to employ a representative within the UK or EU to handle GDPR enquiries.

Additionally, you must let the relevant supervisory authority know in writing who this is.

Many third parties already specialise in catering for this representation requirement and can be found online.

At the very least, you might make enquiries to see if this is a requirement for your business.

8. My business is not based in the EU. Am I affected?

The GDPR affects any business worldwide that processes the data of individuals in the EU.

In fact, if you’re offering goods or services to individuals in the EU or monitoring their behaviour, you’ll probably need to employ a representative within the EU to handle GDPR enquiries.

Additionally, you must let the supervisory authority know in writing who this is. Many third-parties already specialise in catering for this representation requirement and can be found online.

At the very least, you might make enquiries to see if this is a requirement for your business.

Prior to enforcement of the GDPR, it’s at present difficult to predict the consequences for businesses outside the EU that contravene the GDPR but they could include being prohibited from transacting business within the EU until compliance is demonstrated, which could take some time.

This could affect not just sales but also suppliers, so could have a devastating effect.

Editor’s note: This article was first published in November 2017 and has been updated for relevance.