The law states that every organisation from a small one person operation to a large multinational are responsible for ensuring that they have procedures in place for informing and protection data subjects data (information) so as to ensure there is a written record outlining procedures aswell as a checking system to ensure processes are followed. The question every business need to ask, can the data subject be identified from the information (data) held by you the business whether you have a one-person operation or are in charge of a large multinational.
What must you do?
As stated above you are required by law to demonstrate that you have followed the twelve steps outlined by the Data Commission and show both in writing and action that you are compliant with GDPR.
Whatever information (data) you are holding it is your duty to be able to describe in writing following the principles outlined by GDPR and follow in practice what you have put in writing. The information could be about clients, staff, suppliers and if they can be identified from the information you have a duty to protect the data.
The ideal first step is to attend a GDPR training course so as to ensure you are taking the correct steps.
Sanctions if you do not meet the GDPR
If you do not comply you are liable for a fine of 4% of your annual turnover or as high as €20m.
This information session (GDPR course) is suitable for staff members or business owners, charities, sports organisations or any organisation handling information relating to employees, suppliers, clients, volunteers, or board members (called processing data) as it is the obligation of all organisations small and large to ensure everyone involved in the role of handling peoples (data subjects) information are aware of their responsibilities regarding the processing and storing of peoples information.