How do I… get my SME General Data Protection Regulation (GDPR) ready

EU certified GDPR practitioner and IT specialist Andrew Stellakis of Q2Q IT.

How do I… get ready for the General Data Protection Regulation (GDPR)

With just 6 months to go, time is running out for SMEs to prepare for the GDPR. Preparing to take the right steps to get processes in order now is key to achieving compliance, explains EU certified GDPR practitioner and IT specialist Andrew Stellakis.

The closer we get to the General Data Protection Regulation (GDPR), awareness of what it involves and how to achieve compliance doesn’t seem to be improving – especially amongst SMEs.

A recent study actually revealed that less than one in ten small and medium-sized business owners fully understands the GDPR, or has taken the appropriate steps to prepare themselves for it.

So, what does it actually entail?

Quite simply, the GDPR is a new set of laws that come into force on 25 May 2018 to replace the existing Data Protection Directive. It will provide rules on how individuals’ information can be obtained, used, and stored by an organisation.

When it comes to the actual use of data subjects’ information, the new regulations can be broken down into six key data processing principles.

These dictate that data must be:

1. Processed lawfully, fairly and transparently
2. Collected for a specific purpose
3. Limited to only relevant processing
4. Accurate and kept up to date
5. Retained for no longer than necessary
6. Protected with adequate security measures.

Of course, knowing where processes should be is all well and good, but it’s likely that most organisations will have a way to go before getting there. And although there is no one-step solution to achieving GDPR compliance, these five key steps will certainly help:

Carry out an audit 

Current procedures should be compared to the GDPR framework and a Data Protection Officer assigned (if needed) to take responsibility for the transition.

Start a data register

This will keep track of all personal data that is processed, acting as an official audit trail should an organisation need to evidence compliance attempts to the Information Commissioners Office (ICO), in the event of an early breach.

Classify data 

A record should be kept of where any Personal Identifiable Information (PII) is stored, who can access it and how it’s being processed. This refers to any data that could be used to identify someone either directly or indirectly and includes name, email address and phone number, to mention just a few. This classification should help businesses work out which data requires the highest levels of protection and enable them to implement security mechanisms accordingly.

Assess and prioritise 

The first priority of the GDPR is the data subject’s privacy, so processing only a minimal amount of essential data is crucial. Organisations should run a Data Protection Impact Assessment (DPIA) to review all existing procedures and ensure that facilities are in place to fulfil a Data Subject Access Request (DSAR) or erase data on demand.

Remedy and repeat 

Where any gaps or areas of risk are identified, necessary steps must be taken to remedy them. Compliance is a continual effort, so maintaining this careful monitoring going forwards is crucial.

Ultimately, adherence to the GDPR will not only enhance protection from some unsavoury penalties, it will also help to streamline processes, make data collection more transparent, and invoke greater trust from customers and contacts.

So, it might seem like SMEs have a long way to go to achieve compliance, but it’s certainly a worthwhile journey.