There’s been so much noise about the new data protection regulations (the GDPR) coming into force on 25 May. It’s hard to work out what’s relevant, what may urgently and realistically need attention and what is just more ‘noise’, or worse, scare-mongering.
As a small business ourselves, with fairly significant data-handling activities, we asked one of our expert partners, KLDiscovery, THE data experts, what they think about whether small businesses are sufficiently prepared – and if not, what our biggest priorities should be right now...because we’re discovering that a lot of our small business peers are still feeling a bit overwhelmed by it all, just as we were.
James Bowling is one of KLDiscovery’s electronic evidence consultants. We asked him our 3 burning questions and collaborated with him and his colleagues to produce several practical guides about optimising data handling in your business. You can find these guides on Farillio (check out the link at the end of this blog).
Farillio: Do you think small businesses are sufficiently prepared for the GDPR?
James: It is very variable, to be honest.
Compliance with GDPR is a serious issue, but there has also been a lot of scaremongering, which is counterproductive.
For small businesses in particular, GDPR compliance need not involve enormous time and expense. It is fundamentally about getting your data house in order and making a few updates to your procedures – which, aside from legal compliance, is something that has benefits across the business.
These benefits can range from driving efficiency, helping your employees to work well (which aside from productivity benefits, also boosts morale), and improving business intelligence, to dealing with a range of legal issues including requests from individuals to see what data you hold on them (Subject Access Requests), better managing any employee or trading disputes.
Where small businesses are not prepared, it is usually because they don’t know where to start, or because they lack the resources and advice available to larger organisations – which is where Farillio can assist.
Farillio: What’s the biggest priority for small businesses in getting prepared and understanding what's relevant to them?
James: The biggest priority right now and the best starting point is to ensure that you understand and have clearly identified what data you are controlling, what you may be using (called ‘processing’) and where it is.
You might obtain personal data from a number of different sources, like job applications, employees filling out personnel profiles when they onboard, marketing campaigns, people signing up for subscriptions or to buy products and services from you, sales meetings and events, for example.
Some of this data will be straightforward personal data. Some of it might be more sensitive and fall into specific categories identified by the legislation, requiring you to treat it with even more care. Sensitive information includes information like an individual’s race, gender and religion. You’ll need to ensure you’ve comprehensively identified all types.
You definitely need to put in place a proactive system for managing and deleting this data (if you don’t have one already), as well as the ability to display that personal data on an individualised basis, to anyone who requests sight of their own data that you control.
Just doing this will enable you to identify the basis on which you are controlling and processing data.
Then you can make sure that, in relation to each of the activities you’ve identified, you’ve got a lawful reason for doing it – and in many cases, you’ll need to prove you have the express consent to do it from the individuals whose personal data you’re handling.
Once you’ve got a handle on this, you’ll be able to complete or update the relevant documentation that you need to have in place, like privacy notices (for your website, employees and more generally), which declare what data you’re controlling and using to those who have a right to know – most especially those whose personal data you’re handling.
You’ll also need to consider whether you need to update your employment and trading contracts/terms. You might need to change some employment policy documents (or content in your staff handbook, if you have one).
And finally, you should think about how you’re currently marketing to your customers – existing ones and target ones – and whether you have their permission to retain their personal contact details (and any other details about them) in your files and on your systems.
Farillio: What do you think is typically the biggest GDPR-compliance vulnerability for small businesses?
James: Disorganised IT systems (and it isn’t only restricted to small businesses).
Not having well-organised and centrally administered networks makes all other aspects of GDPR compliance much more of a headache – from data security to data deletion, to trying to find relevant information quickly to respond to a Subject Access Request.
To find out how to put James’ advice and observations into action, use Farillio’s pragmatic ‘how-to’ guides and videos.
We’ve unlocked the top 3 of them for free – to make it as easy as possible for you to get a clear and calm handle on what needs to be done. Or to double-check that you’re doing all that you need to, if you’re already feeling on top of these new rules. Head over to gdpr.farill.io for free access.