GDPR: practical compliance tips for SMEs

By Colette Reid

General Data Protection Regulation (GDPR) comes into effect on May 25. They will apply to all businesses, including SMEs, processing any form of personally identifiable information on EU citizens. Being compliant with the new rules is mandatory with potentially huge penalties awaiting those companies which fail to do so.

As a creative agency which specialises in digital marketing and holds a huge amount of data within our business, we have taken steps to prepare for this new legislation. For those SMEs which have not yet gone through this process, however, we are pleased to share our learnings to help get their business compliant before the May 25 deadline.

The starting point is to brief your team all about GDPR and what it means to both your business and your clients. It is worth considering bringing in your company lawyer or an external expert to cover some of the more technical details of the legislation and the implementation timeline.

You must then identify all business processes where personal data is held on clients, suppliers and staff. Key people within your company, based on their remit, should then be assigned responsibility for each area needing attention. HR, for example, would likely take responsibility for staff data while a sales director might cover client data, etc.

The next steps are to identify key contacts, request supplier policies and certifications as well as the full information on the data they hold, keeping an overview record of deadlines and holding regular update meetings on progress.

Bear in mind that fairness, transparency and confidentiality in handling personal data are the key principles behind GDPR. You must therefore analyse all your data records to ensure it complies with this. After you complete this mapping exercise, you must identify the data you no longer need to retain and delete it from your system. Processes should be put in place to reassess the data that you do retain within your business on an ongoing basis to ensure that only relevant records are kept on file.

Communication with your customer base is also essential. You could prepare a generic client letter with a brief outline of what you are doing to become fully compliant, explaining that you require a business justification to retain any current data on them. You can then request written consent from a customer or client to keep their data on file, allowing them to edit any existing records. This should include a caveat that the absence of a written request by a specified date to retain their data means it will have to be deleted from your system.

When completing these tasks, it’s really important that you update these processes, looking at consent forms, HR, client and supplier contracts and any other areas where you collect data to ensure they contain the right fields that remove it from your system when no longer relevant to your business.

Once the above steps are complete you can apply for Cyber Essentials accreditation which highlights the fact you are compliant with GDPR.

There’s not long to go but by putting a concentrated focus on GDPR and following the above steps you can achieve compliance. As we have demonstrated within our small but thriving creative business, being a GDPR-compliant SME need not be as onerous as some might fear but you will need to get things moving quickly. 

Colette Reid is Group Services Manager at creative consultants LEWIS