With the General Data Protection Regulation (GDPR) now only a matter of months away, how should you be preparing your SME for the new rules? EU certified GDPR practitioner and IT specialist Andrew Stellakis cuts through the white noise to deliver some guidance for small businesses.
It may be creeping ever closer, but awareness of what GDPR entails or how to achieve compliance worryingly doesn’t seem to be improving. A recent study revealed that less than 10% of SME owners fully understand the GDPR or have taken appropriate steps to prepare their business – and time is fast running out.
Understanding the basics
So, what exactly is the GDPR? Quite simply, it’s a new set of rules that will dictate how you can and can’t process personal data. Coming into force on 25 May 2018, it will replace existing legislation and govern how individuals’ data can be obtained, used and held by an organisation.
This means that within your business, you’ll have to be stricter on gaining consent for the information you store and be fully aware of the rights of individuals to have their data updated, transferred or erased from your systems entirely. This can cover anything from customer email addresses to CVs from job applicants, depending on your services.
Breaking it down
To make the legislation even more manageable, it can be broken down into six key data processing principles. These rule that data must be:
- Processed lawfully, fairly and transparently
- Collected for a specific purpose
- Limited to only relevant processing
- Accurate and kept up to date
- Retained for no longer than necessary
- Protected with adequate security measures.
Sounds pretty easy, doesn’t it? But instead of facing the changes, many businesses are still burying their heads in the sand and failing to prepare.
Taking the first step is often the hardest part, so it’s important to know where to begin. Following these crucial stages will help get your SME off to a flying start:
- Carry out an audit – Compare your current processes to the GDPR framework and assign a Data Protection Officer (if needed) to oversee your transition.
- Start a data register – Acting as an official audit trail, this will evidence your progress if you suffer an early breach and need to prove your compliance attempts to the Information Commissioner’s Office (ICO).
- Classify your data – Locate any Personal Identifiable Information (PII) that could be used to identify someone (directly or indirectly) and record where it’s stored, who has access to it and how it’s being processed. Once classified, you can deduce which data requires the most protection.
- Assess and prioritise – Privacy is the main priority under the GDPR, so ensure you’re only processing personal data as necessary. Running a Data Protection Impact Assessment (DPIA) on all existing procedures will help make sure you have the measures in place to erase data on demand or fulfil a Data Subject Access Request (DSAR).
- Remedy and repeat – Compliance isn’t a one-off tick box but an ongoing process, so take the required steps to resolve any issues that are flagged up and continue to monitor your procedures regularly.
Q2Q offers a comprehensive range of GDPR provisions tailored to your SME, including workshops, assessments, compliance project management and a virtual Data Protection Officer service.