The GDPR Parallels :
If we are honest, and that’s the best way to be, the GDPR has been a long time coming. The current data protection legislation was well overdue for modernisation. Most companies are already dealing with processes similar to the GDPR, but many may not have drawn those parallels. Once those parallels are recognised and acknowledged, bringing it into a business can be smoother than initially thought.
Every year as a nation we always seem to be surprised that things happen – like Christmas, or School Holidays, or Birthdays. Despite having plenty of advance notice they still creep up on us. Every time we also seem to have to reinvent the wheel – ‘this year I’ll do all my shopping online’, or ‘I’ll send a card from MoonPig as opposed to picking one up from the supermarket’. Yet deep down inside we all know what works best for us, what time and again has fitted in well to our time-starved lives to help us get through these challenges of life.
I can’t tell you what yours are, but you know them. You know which shop sells the gifts you love to give, you know the best time and best location to take your family on holiday – and more importantly, when you need to book it by. You do, you know all of this. So why do we get so stressed? Perhaps we are looking for continued improvements, shortcuts or a better deal. Perhaps we think that since the last time we did something there had been a major shift in society where a new process has been invented that is revolutionising domestic life – but somehow we just didn’t get the memo about it. We don’t need to get stressed, we have done this before.
So where am I going with this? GDPR – those four letters that are inducing panic across businesses at the moment has been approaching for a while, just like my Mothers birthday, but there is no need to go into total meltdown, despite there being only just 2 weeks to go. Better to perhaps realise that many of the processes and procedures that you need for the GDPR compliance have been in place within your business for years, you just haven’t noticed.
It’s all about process..
A business runs on process, even if the marketing material and website sing about innovation, paradigm-shifting products, or service of such elegance that you would be a fool not to be using it. Behind all of these words is process. How do we get raw materials in, make something with it and then ship out a product – process. How do we email all our customers and tell them about a special offer just for them – process. How do we ensure that health and safety is being adhered to within our business – process
The GDPR can relatively easily be distilled down to process. What data do you have, where do you keep it, what are you using it for, how long do you keep it, who has access to it and how do you secure it. That’s process. Now depending on how efficient your IT has been to date your process may be a little, dare I say, idiosyncratic, but it is process none the less.
Even at this late stage in the GDPR game, and for SMEs many are feeling the pressure and starting to sweat, I would wholeheartedly suggest that you sit down with a few of your key people and list out the six elements to the process I illustrated earlier, then discuss it.
When this is usually undertaken there is a gentle realisation that the detail needed to understand these processes is already in existence and thus doesn’t need to be created from scratch. Your team will be able to tell you what data you have – financial data, customer data, supplier data, HR data, communications data (emails and IM) and probably a few more.
But remember that all your data is not just IT related. The GDPR states that any data that can identify an individual person has to be protected. Does the signing in book on reception hold such data? Yes, a name, an email address and a phone number and maybe even a car registration number can be used in conjunction to identify someone. What about those paper records that are stored and will ‘one day’ be sorted out. Yes, they do and now is the time to sort it. Once you start looking for data you will realise that it comes in many, many forms.
Grab a pen, a piece of paper and a cup of coffee ..
List these out and quite quickly within an SME you’ll be able to determine where it is stored – on site, in a co-location facility, up in the cloud, in folders, in archive boxes, in filing cabinets and many more such places.
Who has access to your data? Well within an SME the list of employees is never too long and most are still known personally to the individuals who are working on their GDPR compliance. So matching names to data is almost as easy as creating a little mind map or a little spider diagram. In a couple of cases, people doing this process have almost enjoyed it – who knew that the GDPR could be fun!
Data also changes, hourly, daily, it is not a static medium. It comes into your business, is received by someone, saved, forwarded, changed and actioned. It moves through your business and out again. This pathway, this data journey is worth considering as at any point in its journey and could be compromised. A simple example here is how often people may be tempted to take work home and do this by emailing work documents to their private email address. That is technically a data breach and can no longer be allowed. But these little workarounds and how data moves need to be understood and managed as part of this process.
How is it secured? That usually scares people, but fear not, because once you know where your data is stored you can find out, either by asking IT, or if it’s stored by a third party – in everything from DropBox to Google Drive, those third party companies have to state their security credentials which you can take and build into your GDPR plan. The same goes for your paper records. Are they locked away, who has the key? Can photocopies be made easily by anyone, or do you need a governance process to maintain security of this information?
Now I’m not stating that in amongst this process you won’t discover a few issues, problems and causes for concern, but once you know them you can do something about them in plenty of time. All of this work can be done in-house, relatively swiftly and relatively painlessly. Just don’t leave it any later then absolutely necessary.
Saying that I need to go. It’s my anniversary today and I have a few things to do.