There is plenty of commentary on this mandatory measure which comes into force on 25 May 2018. Most commentators list the same sort of detail, without filtering it much for small businesses. It can take ages to sort the wheat from the chaff.
This blog is an attempt to help make it easier for small business owners to comply. It highlights some things you may have to do, and some that you may not, with pointers to some areas you should be thinking about anyway. It is not a guide or an exhaustive list.
The regulations are EU wide, and the Irish government have produced A Guide to help SMEs prepare for GDPR which does exactly that and it’s quite short. There are more resources at the bottom of this blog.
Whilst wide ranging, the regulations should be embodying good practice rather than producing many new requirements. The penalties can be draconian, but it is unlikely that SMEs will experience them unless the business is reckless in the way it deals with data and people whose data it holds.
You can keep what you need and no more, removing what you don’t need and safeguarding the data. If you deal with children or vulnerable adults, or need data on ethnicity, or other more personal details, you need to do more. Otherwise, you should be able to demonstrate compliance relatively easily and cheaply.
But you do need to have procedures to demonstrate that you have taken this seriously, both in knowing what data you have, where it is, what it is used for and, importantly, that your people know what they can and cannot do with the data.
NEED NOT DO
Unless you have more than 250 employees, you don’t need a Data Protection Officer, or a great deal of the form filling that comes with a larger organisation.
Bring Your Own Device (BYOD) These are often used by team members and can have customer phone numbers and other details. You can issue separate mobiles, but it is simpler and cheaper to incorporate into contracts of employment a term that ensures personal mobiles are encrypted and backed up. Check that they are.
Sending data. Do not send unencrypted data by email. Encrypt or use a secure document exchange, as we do. Again, ensure your team knows the procedure, and what not to do.
The cloud. Check that data held in the cloud complies with the GDPR, especially if held internationally or on racks of servers, mirrored across countries. There are EU-US protocols for data held abroad, so it may be you just need some assurance from your cloud providers, preferably in their terms and contracts.
Documentation and team training. Fail to document and it will be assumed that you will be in breach of the regulations, just like you will be for employment law and health & safety issues, for example. That doesn’t mean you have to detail everything. Write down the basics and make sure you also document your team training, which can simply be an email to each member telling them what they need to know and do, and where the procedures and more information is held. Perhaps a series of short briefings will do what you need. Make sure when a team member leaves, you delete their access rights immediately. Its good practice to protect you, and means this aspect is GDPR compliant. Make it a procedure. In other words, write down a lot of what you already do.
Cyber insurance. If you don’t have it, get it. It’s not expensive and it will cover you for what can be a very large cost, which is not the fine, but the reinstatement of the data so you can keep trading. It has more benefit than just GDPR compliance – in the computer age, loss of data can mean end of business. A simple back up routine won’t be enough. You should have a disaster recovery plan.
Map data flows, so you catch every place where you hold data. One commonly forgotten is where you keep CVs from job applicants. A lot of businesses get them by email and may file them in an employment folder but might keep the email as well, and never delete it. How long should you keep a CV for an unsuccessful candidate? Common practice is 6 months after the job is filled, so that there can be no come back from someone who thinks they have been unfairly treated. Set the procedure and follow it.
Hixsons have produced a series of short checklists for our clients on:
Training – draft memo to team
Basic info – why you hold data, what you do with it, where it is etc
Risk management checklist/standing data
Data request procedure
You do have some work to do by 25 May, but it’s not as daunting as it could be. Use the procedures to streamline your business – you may be surprised at how much you can declutter and make everything flow more smoothly and cheaper.
The GDPR and you Irish government
The GDPR and you microsite for organisations Irish government
A Guide to help SMES prepare for GDPR Irish government
Preparing for GDPR Information Commissioner’s Office ICO
Getting ready for GDPR ICO comprehensive