GDPR for Small Businesses

I’ve been writing so many press articles, guides and blog posts on the General Data Protection Regulation (GDPR) – on behalf of clients, that is – that I should be somewhat of an expert on it by now.

Unfortunately, that isn’t true but in interviewing the people that really do know their stuff, I’m certainly more the wiser and taking steps to ensure that Nellie PR will be GDPR compliant by the 25 May 2018 deadline.  How about you?

Anyway, to help myself keep on top of all this GDPR stuff, I’ve pulled together a checklist to go through and action, this includes an ever expanding reading list such as The Information Commissioner’s (ICO) newly updated guide to GDPR for small businesses.  The ICO is providing more small business-focused advice, including a newly updated 12 steps guide to preparing for GDPR and also launched a helpline number for small businesses that you can reach on 0303 123 1113.  I’ve also bookmarked IT security, and will give this outsourcing guide a read too.  

I’m also writing this, a living and GDPR-breathing post about the steps we’re taking to understand and plan the changes we have to make using The ICO’s newly updated Preparing for the General Data Protection Regulation (GDPR): 12 steps to take now.  This post will be updated on an ongoing basis and shared with our clients, suppliers and key contacts so they know what we’ve up to and how we look after, care and respect data..  

GDPR: 12 steps we are taking now

1. Awareness

According to the ICO you should make sure that decision makers and key people in your organisation are aware that the law is changing to the GDPR. They need to appreciate the impact this is likely to have.

What has Nellie PR done?

As a small business it has been relatively easy for us to get up-to-speed with GDPR.  We’re aware and updated our staff handbook to include a section on GDPR.  All our staff and suppliers such as the freelancers we use have been briefed on GDPR and pointed in the direction of The ICO website to find out more.  I’ve documented the steps we’ve taken to gain awareness and understand its impact.  We’ve also started a couple Pinterest boards on GDPR for small businesses and GDPR for PR and comms to collate some of the most useful information we see.  

2. Information you hold

According to the ICO, you should document what personal data you hold, where it came from and who you share it with. You may need to organise an information audit.

What has Nellie PR done?

In order to meet the requirements here, I’m currently conducting an information audit confirming what data we hold and where it comes from.  In documenting everything, we’re also asking all our relevant suppliers and technology providers to do the same and to inform us.  Luckily, the tech giants such as MailChimp, Dropbox, Google etc. have started to provide GDPR guidance.  

I’m also using GDPR as an opportunity to spring clean the data we hold and get rid of data we no longer need.  This is something I’ve been wanting to do for years so GDPR is the great kick up the backside I’ve been needing.  

3. Communicating privacy information

According to the ICO, you should review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation.

What has Nellie PR done?

We’re currently updating our privacy policy and taking guidance from the PRCA and CIPR (our two main professional bodies) as to the specific requirements of GDPR in relation to what we do.  The ICO has also posted guidance on privacy notices, transparency and control and we’re checking out good examples of privacy notices, including The ICO’s very own privacy notice because if they can’t get this right – what hope is there for the rest of us?  As well as reviewing our privacy policy, I’m also updating our cookie and email policy and ensuring that our email signature contains a link to our privacy policy.    

4. Individuals’ rights

According to the ICO, you should check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format.

What has Nellie PR Done?

We’ve checked our existing procedures and understand how we would delete personal data and provide data electronically.  

5. Subject access requests

According to the ICO you should update your procedures and plan how you will handle requests within the new timescales and provide any additional information.

What has Nellie PR done?

We’re adding in a section in our privacy notice regarding this.  As a small firm, we’re confident we can respond to requests within a month.  

6. Lawful basis for processing data

According to the ICO you should identify the lawful basis for your processing activity in the GDPR, document it and update your privacy notice to explain it.

What has Nellie PR done?

As we’re updating our privacy notice, we’ll include a section within it to explain our lawful basis for processing data.

7. Consent

According to the ICO you should review how you seek, record and manage consent and whether you need to make any changes. Refresh existing consents now if they don’t meet the GDPR standard.

What has Nellie PR done?

We’re reading the consent guidance as recommended by the ICO and checking out the ICO’s guide to direct marketing.  As we do direct marketing, including email marketing, we’ve been checking what we do against the direct marketing checklist and already do the following (although number 4 needs further thought and I re-look at the opt-in confirmation we store care of Mailchimp):

  1. We use opt-in boxes  
  2. We specify methods of communication (eg by email, text, phone, recorded call, post)  
  3. We ask for consent to pass details to third parties for marketing and name, or clearly describe those third parties  
  4. We record when and how we got consent, and exactly what it covers.

As we only send marketing to people that opt-in to receive it, it looks like we adhere to best practice here but we need to check best practice around sending this initial request.  We currently use a double-opt in but according to the ICO this isn’t mandatory.   We’ve also got a lot of questions regarding consent when it comes to emailing journalists, for example. I’m seeking guidance on this as this activity isn’t for marketing purposes and may look to send a reminder to our newsletter marketing list about our obligations under GDPR and a reminder that they can opt-out at any time.  An opt-out is always included in our email newsletters.  

8. Children

According to the ICO you should start thinking now about whether you need to put systems in place to verify individuals’ ages and to obtain parental or guardian consent for any data processing activity.

What has Nellie PR done?

We already have procedures in place to obtain parental permission, as appropriate, for the use of children’s personal data such as name and school.  We always get permissions if we are working with schools, for example, on PR campaigns and schools also have strict permissions in place to get parental permission via their own media and social media policies.  

9. Data breaches

According to the ICO you should make sure you have the right procedures in place to detect, report and investigate a personal data breach.

What has Nellie PR done?

Again, we’ll cover this off in the staff handbook.

10. Data Protection by Design and Data Protection Impact Assessments

According to the ICO you should familiarise yourself now with the ICO’s code of practice on Privacy Impact Assessments as well as the latest guidance from the Article 29 Working Party, and work out how and when to implement them in your organisation.

What has Nellie PR done?

We’re reading the ICO’s code of practice on Privacy Impact Assessments and have yet to take a look at the Article 29 Working Party guidance.   

11. Data Protection Officers

According to the ICO you should designate someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements. You should consider whether you are required to formally designate a Data Protection Officer.

What has Nellie PR done?

As a small business we do not formally have to designate a DPO.  As owner and founder of Nellie PR, I’ve designated compliance responsibility to myself.

12. International

According to the ICO if your organisation operates in more than one EU member state (ie you carry out cross-border processing), you should determine your lead data protection supervisory authority. Article 29 Working Party guidelines will help you do this.

What has Nellie PR done?

This doesn’t apply to us as we don’t operate in more than one EU member state, but we will document and confirm this in our privacy notice.

For more information and links to GDPR resources:

One of the biggest criticisms levied at The ICO is that much of the information about GDPR has been focused at bigger businesses.  In response, they have recently updated their guide to GDPR, are providing more small business-focused advice, including a newly updated 12 steps guide to preparing for GDPR and also launched a helpline number for small businesses that you can reach on 0303 123 1113.