Guidance for SMEs

Although this guidance note was designed to be of particular assistance to Small to Medium Enterprises (SMEs), there are many elements within it which are also applicable to Data Protection Officers (DPOs).

This note contains a list of key General Data Protection Regulation (GDPR) definitions, thus providing clarity on key terms within data protection legislation. It also contains a checklist of key steps to take to ensure GDPR compliance within an organisation. Each step references the relevant GDPR article/recital.

This note also provides guidance on a risk based approach to being GDPR compliant. This involves an organisation conducting a risk assessment of the personal data processing operations they carry out, the complexity and scale of their data processing, the sensitivity of the data processed and the protection required for the data being processed. In this context the concepts of Data Protection by Design and Data Protection by Default are also explored, as is the mandatory requirement to conduct a Data Protection Impact Assessment (DPIA) before implementing any new high risk processing projects.

The final section of this note contains an extensive list of GDPR compliance checklist tools. These take the form of detailed questions regarding:

  • Personal data;
  • Data subject rights;
  • Accuracy and retention;
  • Transparency requirements;
  • Other data controller obligations;
  • Data security;
  • Data breaches;
  • International data transfers.

The answering of these questions provides a structure to assist organisations in mapping the personal data that they currently hold and process, the lawful basis on which the data was collected, and the retention period for each category of data. Carrying out this exercise will help identify where immediate remedial actions are required in order to be compliant with the GDPR.

For more information on this topic, please see our guidance note on GDPR compliance for SMEs.