GDPR compliance for your small business: where to start?
The GDPR (General Data Protection Regulation), successor to 1998's Data Protection Act, is more than a slightly enhanced reproduction of the Data Protection Act. The GDPR establishes far stricter regulations that could cost small businesses. Our small business GDPR compliance guide with the essentials you need to know.
What are the risks to your business?
If you are not yet aware of the GDPR, it is the EU's long awaited solution to bringing data protection legislation into line with new ways data is used. It almost completely rewrites the Data Protection Act of 1998 to include a more comprehensive set of regulations, as well as fines that could put many small organisations out of business.
As the GDPR's May 25th implementation date has become closer and closer, the ICO (the UK's Information Commissioner's Office which is working along side the European Parliament, Council and European Commission) has released more information as to what the risks to small businesses are. The main risk would be the ICO fines, these can be 4% of a company’s annual turnover, or a 20 million euro fine. Whichever is more!
On top of this, there are also other risks to your business including class action lawsuits, data subject compensation and reputational damage to your business. The only caveat here would be that until we start seeing real world examples and companies being taken to court, the effects GDPR will have on businesses remain subject to interpretation.
Where should you start?
I have some good news and bad news for this section. The good news is that there are plenty of resources online, as well as offline as to how to become compliant. However, the bad news is that there is also some very poor advice being sold by companies looking to sell their own software. I have seen plenty of online advertisements from companies claiming that their software is the one-stop-shop to full GDPR compliance, when the reality is that this isn’t the case.
The other thing to consider when it comes to becoming GDPR compliant is your organisation’s approach to data security. Although much of the GDPR is simply best practise, it is up to you to research more about it to find out the tasks you need to complete to become compliant. This leads me on to my next point…
Before speaking to anyone else about helping you become GDPR compliant, you need to ensure that you look on the ICO website. The ICO are trying extremely hard to help all businesses become GDPR compliant in-time for the May 25th deadline. Because of all of this, their very own GDPR experts are creating some fantastic content to help you learn more about this new regulation. It is also a common way of thinking that the ICO will, should you ever have to be investigated, look more favourably on you if you have been following their guidelines.
The ICO has even produced a 12-step guide to becoming GDPR compliant. I believe this is the best piece of content currently out there, and this should always be your starting point when you are learning about GDPR and what it takes to become compliant. Along with this, there are also some fantastic webinars, seminars and workshops out there that you can attend. But be very careful here! I have attended GDPR events where the presenters are also working with very limited knowledge, so be careful who you trust to guide you through the process.
Conducting a gap analysis
Now that you have read the start of this article, it is essential that you create a baseline of where both you and your organisation are today in terms of GDPR compliance. There are different ways to do this, but I always start by breaking out the organisation into three categories:
- Do my people understand the requirements of GDPR?
- Do I have the processes in place to ensure compliance?
- Is my technology set up to ensure compliance?
I would then break these down into finer detail, identifying the gap between where the business is today and what tasks it needs to complete to avoid those hefty fines associated with non-compliance.
Plan and act
All this information should give you a great starting point into what you need to do to ensure you are compliant by May 25th. Making sure you have a comprehensive list in place of all the tasks you and your organisation need to do to ensure you are compliant. Not only will you find this very useful, but it will also make the long process seem a lot easier as you are checking off tasks!
Document your SME's GDPR compliance progress
As a very last step, do not forget to document actions and progress. As well as being a great way to show the ICO that you have been taking your responsibility seriously, it will also help you appreciate progress and evolve your plan.
Remember, the GDPR is not something you need to do just once, it is an ongoing process. Every small business needs to ensure they are constantly updating their processes to ensure they remain compliant as the GDPR becomes more and more comprehensive.
Emma Holloway is a marketing executive at 5th Utility Ltd. which provides IT support and managed IT services to SMEs across the UK.