Your Small Business, Your Responsibility – Your straightforward GDPR Blueprint for a great 2022
If you’re fed up with New Year’s resolutions…
If you are a coach, trainer or consultant, this GDPR Blueprint will help you get your plans in place to create something invaluable for your business that will improve it over the course of 2022.
GDPR and meeting its requirements are never about completing everything all in one go. It’s a journey and, even if you’ve already started, now is an excellent time to look and see where you are. Check what you already have and put a simple plan together to add, remove, change, or improve how you do things.
If this is all new to you, follow the instructions in bold and you will have an outline plan of what to look at and things to do over the course of the next few weeks/months – you can set your own workable timetable.
I’m going to take you through a basic DIY analysis of what you have and need to get organised. I will cover the basics – do be aware that if you don’t have anything in place this covers the essentials and is aimed at owner-run coaching, training and consultancy businesses. It will set you on the right track and you will then be able to take it from here adding and changing it to match your and your business’s particular needs (or you can ask for help!).
Where does your GDPR Blueprint start?
If you don’t already have one, you should set up a simple schedule with your key GDPR-related checks spread out over the year/month/week to make it easy to stop anything from falling off. A simple spreadsheet with months across the top and items for attention down the side will do the trick.
Add task reminders to carry out each check to your preferred calendar. When you’ve completed each check write the date in your spreadsheet.
Add your items to your GDPR Schedule* spreadsheet as you complete each of those in the following article. N.B., I love spreadsheets, but you can easily use your own favourite format e.g., a Word (or similar) document – whatever works for you.
Set up your Planning notes
Set up your planning spreadsheet* like this:
Draw 4 columns and head them up (a standard Action Plan design)
TIP: I would recommend completing this process in the order that makes the most sense to you. For example, if you are working on your marketing now, start with items that relate to that e.g., your email marketing. If you are stuck as to where to start, then follow my lead.
What items are most likely to be visible in your business?
To be practical about where you start looking, there are some items that are on show to the public and these reflect on your brand more directly because of that. These items are your:
- Privacy Notice
- Consent statements
- Cookie consent banner on your website
- Customer complaint handling
- Data Subject Access Requests – where the owner of personal data asks you for the details of their data you process in your business
These are two of the direct channels with your customers and, the sad truth of both types of contact is that you will be dealing with someone with some sort of grievance, point to make or axe to grind in many cases. Getting the handling right is important for your customer/client and you/your business.
Your public-facing documents
This is one of your most important documents. It represents your undertaking to all those people who share their personal data with your business, and it must be accurate!
Read your existing Privacy Notice and remember you need different versions for different uses, e.g., website (only), in-person sessions, etc.
If you don’t have a Privacy Notice, add this to your Planning spreadsheet (and mark it as a top priority!). If you only have one version that doesn’t cover all situations, either write alternative versions or alter your current version by adding additional headings for the various uses.
Ask yourself the following:
- Does it reflect my business accurately, including my current brand identity? If you want that voice to be reflected in the style and wording, including your brand evolution, review/amend it with that in mind. Make notes on anything you will tweak to improve it.
- Are all my Processors/services and software included and accurate? More on that in a moment.
When was the last version of your Privacy Notice written (be sure to date each version)? If you have your Record of Processing Activities and have kept it up to date, it will be a moment’s work to compare the information and check you updated your Privacy Notice, or to update it now and mark your Schedule of reminders to remember to do that in future.
WHAT AND WHERE PERSONAL DATA IS HANDLED IN YOUR BUSINESS: If you haven’t got a Record of Processing Activities* document or haven’t updated it, add that to your Planning spreadsheet in the Item column. This is another priority item, although it will take time to create. TIP: It’s easier to check and update it monthly to keep on top of changes. This is your data map and the document you will refer to in case of possible risks or even data breaches.
SOFTWARE AND SERVICES IN YOUR BUSINESS: Check your accounts records for any new subscriptions or purchase of software and make a note of each one in your Planning document under Items Your action will be to carry out your due diligence on each of those where you haven’t already done so and then, when that’s done you can update that section of your Privacy Notice. Remember to cancel any services or software you no longer use to keep your costs and risk footprint down!
Although you are required to carry out your due diligence BEFORE you sign up for a service or software that will be processing personal data, often this isn’t the reality for many small business owners. This check will at least help you to catch up and avoid missing something that could leave your business exposed. You can make use of your accounting records to help you spot something you’ve missed.
TIP: I keep a simple table with all the services, software and platforms I use in my business recorded with their renewal date (if they have one), location of their servers (due diligence & recorded in your Record of Processing Activities document) plus notes. I add or remove to a separate “archived” section as I change anything. I also keep a note of potential alternatives I may have been impressed with during my research – to save a bit of time if anything changes or isn’t working as I want it to.
When you have all the information on any changes you need to make to your Privacy Notice, then re-write it. Don’t forget to change all versions of your Privacy Notice appropriately and to destroy/delete all defunct versions and copies.
- Do you know where all of your consent statements are located? Again, your Record of Processing Activities is key to knowing this, as you will have recorded them in it. Consent is a lawful basis and as you know, no lawful basis = unlawful processing causing problems for you and your business.
- Check there is no ambiguity or clarity of what people are being asked to consent to and don’t forget “one tick one purpose” – amend any that don’t follow those rules.
- Check the consent statements and identify any that need updating and add those to your Item column in your Planning document. If you find any are missing, add those to your Planning document as well.
Cookie consent controls on your website
- Check that any statements on there are still accurate (and the controls are working!). Get your webmaster to check for you, if you don’t maintain your own website.
- If you don’t have a cookie consent control banner on your website, add that to your Planning document and get one in place asap!
If you need to add, change or remove anything from any of these documents, add that to your Planning schedule.
Website and other online written documents
- Change your Copyright statement if it says the previous year. Make sure you have all the required information about your business on your website and that is up to date.
- Make sure your Legals pages are current – your T&Cs, disclaimers, cookies policy.
- Check your content to make sure it is accurate and reflects your business as it is now or as you want it to be. Archive blog posts that are out of date, off-brand or no longer relevant.
If you need to update or change any of these items, add that to your Item column.
Tip: I would add a 6 monthly check for your website as a failsafe to avoid missing something.
Your complaints procedures
Check your log of complaints – were they all resolved? If a complaint is made to the ICO, you will be asked for this log.
How you handle complaints carries the risk of a situation getting out into the public domain on social media or review sites, which could cause brand damage. At the very least it’ll waste your time and cause you stress.
If you don’t have an up to date or any log or policy/procedure for reliably handling complaints, add that item to your Planning document.
Data Subject Access Requests (DSARs)
If you’ve received a request for personal data held by you then you will find it easier to follow a policy/procedure already decided on, rather than winging it.
If you don’t have a policy/procedure, create one recording all the places personal data is stored (refer to your Record of Planning Activities for the details) and any specifics for your process – add this to your Planning document.
You must have a log for any DSARs that you receive. If you haven’t received any, that’s great, but do create a log and keep it in your GDPR folder if you don’t have one. This will act as your evidence of considering this should anything go wrong.
If you don’t have a policy/procedure or log, add them to your Planning document.
TIP: Schedule a check of the log annually and start a new log for each year/mark the spreadsheet or table so you can see at a glance what’s happened (hopefully, it will be empty!).
If you haven’t been deleting data gradually over the year and prefer to do so as a less frequent task, then you can add this to your GDPR review schedule according to your preference. N.B. Do make sure your Privacy Notice matches your policy/procedure!
Add this task to your Planning document and be sure to follow through. If you haven’t decided on how long you will keep each type of data (it can’t be indefinitely, by the way) you must do that and include it in your Privacy Notice; add that to your Planning document as well.
TIP: You can set up Task reminders for each type of data or for an overall sweep of your records using your chosen calendar App.
Check any databases you keep in your business. It’s most likely to be your email marketing platform that will be most important in keeping your list(s) clean. The statistics for such as hard bounces will help you with this process. Check the data is accurate and confirm the deletion process has happened according to your timescale, this will show on your Schedule of checks. If you use a CRM platform, a similar process will be necessary.
If not, add it to your Planning document.
TIP: Monthly or quarterly would be my recommendation for frequency.
Other Important GDPR checks
- DATA BREACHES – you should have a policy/procedure plus a log set up to record these, including the details of what happened, classification of it and timescales for actions. If you haven’t, add that item to your Planning Document to create both. TIP: As any such breach has the potential to cause damage to your business, make it getting set up and dealing with any such incident a high priority for your business. A monthly check of your Log would be my recommendation.
- POLICY/PROCEDURE DOCUMENTS – Check all policy/procedure documents you do have and amend, as necessary. Remember to mark the date and version number. Add this to your Planning document. TIP: Checking these annually is usually fine but you may feel more comfortable with a higher frequency.
- RECORDS OF DEVICES – Having a record of the devices that you use to process personal data are useful for reference. If you don’t have a record, add that to your Planning document. N.B. If you are considering getting Cyber Essentials certified, you will have to have such a record as you will be including the details of devices in your submission.
TIP: An annual check and update of this record is OK but don’t forget to update as and when you add, remove, destroy, or replace any device. N.B. Don’t forget to record any device destruction with a note to confirm it was done securely as far as any personal data it contained is concerned.
Other general checks
- Are you still using all of your services, platforms and software? Now’s the time to review and cancel any that are not contributing to your business in a meaningful way.
TIP: An annual check is fine.
- If you allowed someone access to any of your systems during the past year, double-check that they no longer have access.
TIP: I would recommend a 6 monthly frequency if this is something that does or may happen in the future.
As with any process, you need to go back and check what is happening after you set it up and, then on a regular basis after it has been running, check to make sure it’s still working as intended. When you’ve worked your way through this GDPR Blueprint, you will have also gained the knowledge to help your business going forward (yay!).
You will see how much needs to be checked and (I hope) are now organising an easy schedule for correcting any omissions or errors and then for the checks to be carried out over the course of the year.
The more important checks or systems need the most frequent checks in general, but this might not be the case where changes are less likely – you decide.
As you will be handling most if not all the admin for your business, most of these scheduled checks will just act as a reminder in case you forgot to do something. They shouldn’t cause you to stress, in fact, they should do exactly the opposite.
*How can you get help if you need it?
I realise that the initial set-up of your own systems can be daunting, and this is why I have updated and modified my Step-by-Step GDPR programme to a 2.0 version specifically aimed at coaches, trainers and consultants. It runs over a period of 6 months to give you time and support to implement what’s needed according to what works best for your business. Templates and essential documents as well as expert implementation support and a channel for asking any questions throughout are included. Your outcome will be a manageable GDPR safety net to protect both you and your business.
The number of places on the programme is restricted to ensure I can give you the right amount of attention to help you set your business up properly.
Afterwards, you can continue as a Step-by-Step Alumni to maintain and carry on getting access to expert guidance to keep your business in the best of shape.
The programme begins in March and if you would like to register your interest and get priority for signing up, click HERE to join the waiting list.
What about if you’re confident about setting things up yourself but would find an impartial professional 2nd opinion helpful?
If you are confident and/or organised, then that puts you firmly in the minority of small UK business owners. If you would find a professional review of what you currently have or are planning, my Instant GDPR service is exactly right. For more details and to book, click HERE.
And don’t forget my free to access Facebook community group and Monthly workshop…
*Please note, I do not offer legal advice.