GDPR is fast approaching, is your SME ready?

3 Apr 2018

Big businesses the world over have whole fleets of legal advisors and compliance experts to help them navigate the world of data protection in the fact of the new General Data Protection Regulation (GDPR).

But what about the rest of us?

Most companies don’t have a huge legal department to advise them on new legislation. They have their solicitors, of course, and probably someone on the team who has made it their business to know about these things, but there’s a lot of work needed to get a business ready for the changes due out next month.

All this work on top of the normal day-to-day operations. It’s a dizzying prospect and one that some SMEs have been avoiding for several months.

With the deadline (25th May) fast approaching, however, the time to face the music has come.

But where to begin? It can feel overwhelming, but we’ve got four steps you can take that will help kick you off on your journey towards GDPR compliance.

Step 1: Learn the lingo

The language surrounding GDPR is complicated. I’m not talking about the legalese the document itself uses, I’m just referring to the words they use to describe data and the people who use it!

Here are the key ones:

Data subject: the person the data is about

  • You have an email address for Bob Smith, he’s the data subject.
  • Important to remember that COMPANIES can also be data subjects.

Data processor: the person (or company) that actually handles the data

  • So Mary in marketing who sends the emails via OpenCRM. Both Mary and OpenCRM are the data processors.

Data controller: the person who decides what should happen with the data, the one who makes all the rules

  • Your MD, for example, is probably the person who ultimately decides whether or not Mary should be emailing Bob at all.

Then you’ve got all the rights that the data subjects will get with GDPR…but hold on, we’re not quite there yet.

Step 2: Identify the data you currently have

This is a big one, you can’t protect data you don’t know exists. So an audit, I’m afraid, is in order.

And don’t forget, this includes data about people regardless of whether its held on paper, on your computer, in the Cloud, or even chiselled into stone…although I don’t know many businesses who use stone for record keeping.

Getting a feel for how much data you have and what it actually is (emails, names, addresses, bank account numbers, etc.) is a vital part of protecting it.

Step 3: Write down a plan for what you want to do with this data

Do you want to keep it? For how long? When do you think is “long enough” to hold onto a data subject’s information?

You’ll of course need to take into account your other legal obligations (HMRC springs to mind), but having a documented data retention plan is essential.

After all, how else are you going to start implementing it?

Step 4: What will you do if someone makes a request?

There are a number of new rights that data subjects will get under GDPR. Several of them give them the right to make some requests from you. Specifically the right to amend incorrect data you are holding (maybe their name is spelt wrong), the right of access (so they can see what data you do hold), and the right to be forgotten.

You need to make a plan for what you want to do in these cases. Check out the ICO’s guide on preparing for GDPR, they’ll explain each of these and what your responsibilities are with them.

But once you know what you want to do, write it down. Document your policies. This is an important element in making sure that everyone on your team and suppliers (your data processors) are made aware of them.

And that’s not really the end, but it’s a good start. The important thing is to get started…especially as the deadline is almost here!!