With just 5 months to go, time is running out for SMEs to prepare for the GDPR! Towards the end of last year, our MD Andrew shared some crucial advice with BQ Live about how small businesses should be getting their processes up to speed and compliant – if you missed it, you can read the full article here…
The closer we get to the General Data Protection Regulation (GDPR), awareness of what it involves or how to achieve compliance worryingly doesn’t seem to be improving – especially amongst SMEs. A recent study actually revealed that less than one in ten small and medium sized business owners fully understands the GDPR, or has taken the appropriate steps to prepare themselves for it.
So, what does it actually entail?
Quite simply, the GDPR is a new set of laws that comes into force on 25 May 2018 to replace the existing Data Protective Directive. It will provide rules on how individuals’ information can be obtained, used and stored by an organisation. And when it comes to the actual use of data subjects’ information, the new regulations can be broken down into six key data processing principles.
These dictate that data must be:
- Processed lawfully, fairly and transparently
- Collected for a specific purpose
- Limited to only relevant processing
- Accurate and kept up to date
- Retained for no longer than necessary
- Protected with adequate security measures.
Of course, knowing where processes should be is all well and good, but it’s likely that most organisations will have a way to go before getting there. And although there is no one-step solution to achieving GDPR compliance, these five key steps will certainly help:
- Carry out an audit – Current procedures should be compared to the GDPR framework and a Data Protection Officer assigned (if needed) to take responsibility for the transition.
- Start a data register – This will keep track of all personal data that is processed, acting as an official audit trail should an organisation need to evidence compliance attempts to the Information Commissioners Office (ICO), in the event of an early breach.
- Classify data – A record should be kept of where any Personal Identifiable Information (PII) is stored, who can access it and how it’s being processed. This refers to any data that could be used to identify someone either directly or indirectly and includes name, email address and phone number, to mention just a few. This classification should help businesses work out which data requires the highest levels of protection and enable them implement security mechanisms accordingly.
- Assess and prioritise – The first priority of the GDPR is the data subject’s privacy, so processing only a minimal amount of essential data is crucial. Organisations should run a Data Protection Impact Assessment (DPIA) to review all existing procedures and ensure that facilities are in place to fulfil a Data Subject Access Request (DSAR) or erase data on demand.
- Remedy and repeat – Where any gaps or areas of risk are identified, necessary steps must be taken to remedy them. Compliance is a continual effort, so maintaining this careful monitoring going forwards is crucial.
Ultimately, adherence to the GDPR will not only enhance protection from some unsavoury penalties, but also help to streamline processes, make data collection more transparent and invoke greater trust from customers and contacts.
So, it might seem like SMEs have a long way to go to achieve compliance, but it’s certainly a worthwhile journey.