29 November 2018

7 things you need to do to keep your SME GDPR compliant

Reports of data breaches to the ICO have doubled since May, now is the time to get processes in order to avoid facing a fine

The 26th May 2018 marked a date when SMEs across Europe breathed a collective sigh of relief: they had met the GDPR deadline.

However, in the six months since the regulation came into place, SMEs are only starting to realise the level of work needed to ensure ongoing GDPR compliance.

While business as usual must continue, there’s no denying that workloads have increased. However, with reports of data breaches to the ICO doubling since May, for companies that have been lax in their data tracking, now is the time to get your processes in order to avoid becoming one of the first organisations to face a fine. So, what steps does a SME need to take to maintain compliance?

1. Data stocktaking

As the deadline to GDPR approached, guidance was woolly of what data needed to be captured. As the new year approaches, now is the time for your business to address: where data lives and moves in the organisation, and whether you are clear on what is and isn’t GDPR compliant.

2. Categorise data

The next step – and one which we continually see to be the biggest pain point for SMEs – is marking and categorising data in an inventory. It can be daunting for SMEs to do this, and it’s often something they don’t allocate time to worry about. If you don’t know where to start, consider looking for outside help to come in to achieve data inventory compliance for you.

3. Check contracts

As part of your supplier contracts, its important to review and ensure that there is clarity on the process of data sharing among one another. While you won’t need to re-write a contract (an amendment will do), take the time to check either way and act if needed. 

4. Supplier compliance

It’s not enough to know that your organisation is GDPR compliant; you also need to make sure that the suppliers and other companies you work with are too. We have seen organisations lose business as a result of not being compliant. However, it will ultimately come down to whether you want to take the risk of working with a non-compliant business or not.

5. GDPR lead

No matter how big or small your business is, appoint a GDPR lead formally known as a Data Protection Officer (DPO). This individual should understand GDPR’s ins and outs as well as ensure data flow is being tracked correctly. While there is no official certified training currently available on this, you can speak to organisations like the ICO and business advisory organisations, who can provide guidance  on what you need to know and actions you may need to take in the case of a breach.

6. Consider the cloud

The cloud could become your company’s GDPR best friend. The major benefits of the cloud are the security, flexibility and protection it allows a company and its data.  Many major cloud providers are already supporting the regulation and are encouraging businesses to move to the cloud for the security it provides – a significant bonus in ongoing GDPR compliance.

7. Don’t sit idly
Just because the deadline has passed, this doesn’t mean that SMEs can ignore ongoing compliance. While there haven’t been any fines imposed on a business yet, no one wants to be the first. To avoid being one of those companies, it’s vital that SMEs are proactive in maintaining their GDPR compliance and consider it as part of business as usual activities.