GDPR for small businesses – simple steps you can take to protect personal data

It’s almost 12 months since the General Data Protection Regulation (GDPR) came into force, replacing existing data protection rules with something far stricter and more comprehensive.

While GDPR arrived amidst a fanfare of media coverage and online chatter, the noise was quick to die down and for many small businesses, it seems to have taken a bit of a backseat. Indeed, a recent survey has revealed that only 35% of SMBs have a basic data protection policy.

But the true impact of GDPR is now starting to be seen, with companies being hit with fines for non-compliance. Financial penalties totalling more than €56m have been issued for GDPR breaches since last May and there have been more than 200,000 cases reported.

While a majority of the fines dished out to date have hit the pockets of larger organisations (Google alone being ordered to hand over $50M!), momentum is building and this should act as a wake-up call for any small and medium-sized businesses who haven’t yet managed to get their heads around GDPR compliance.

So, what should you do?

Here, we’re going to take a closer look at the practical steps small businesses can take to ensure their data management systems are up to scratch.

The good news is, being GDPR compliant doesn’t mean you have to shell out thousands on new IT software and fancy kit. There are many quick and easy steps you can implement right away, to bolster your data security and processes. Along with upgrades to consider that could bring greater long-term benefits for your business, while helping you comply.

The key to getting it right is understanding what data you currently hold and how you are managing it……. but first, here’s a quick recap.

Quickfire guide to GDPR

What is it?

In a nutshell, GDPR offers greater rights and protections for EU citizens with regards to their personal data and how it is handled and stored. It’s there to make sure companies take their data handling responsibilities seriously, an issue that continues to dominate the news headlines thanks to the likes of Facebook and other high profile cases.

What does it mean for businesses?

If you’re a business trading in the EU and you hold personal data (which all businesses are likely to do) then you need to ensure you’re up to speed on the rules and have the right systems and processes in place. Far from being simply a tick box exercise, complying with GDPR requires planning and in some cases, a complete change in procedures. It’s not something that can be achieved overnight, so the sooner you get stuck in the better.

Who does it apply to?

GDPR compliance is compulsory for all businesses operating in the EU, even if a company isn’t physically based here. It applies in all contexts and across all sectors, whether you’re a huge multinational, SME or one-man-band.

What are the consequences for non-compliance?

As we’ve touched on, the penalties for getting it wrong – or for not taking action – can be steep. Firms can be fined 20 million euros, or four per cent of an organisation’s global turnover, whichever is higher. And while it may seem unlikely that a small company would be investigated, anyone can report your business to the UK regulator if they’re not happy with how you looked after their data. Even competitors…

What is classed as personal data?

GDPR centres on ‘personal data’, which it classes as anything that can be used to identify someone. Here are some common examples you might find within a small business:

• Customer names, addresses and email addresses
• Supplier names, addresses and email addresses
• Employee names, contact details and photos
• Job applicant CVs and application forms
• Names and email addresses of those signing up to receive a newsletter or other marketing communications

How you got the data in the first place, why you have it, what consent the individual has provided for how you might use their data and even how long you keep the data for, are all issues that now need to be considered. But it’s not just sales and marketing teams who are under scrutiny. Personal data is used and accessed by all sorts of people within a business, so you need to look at the complete picture.

We’ve just provided a snapshot of the regulations here. For more detailed information, make sure you grab a copy of our comprehensive free guide: What is GDPR?

How can you safeguard your data?

The GDPR compliance process should start with a detailed audit of your current systems.
Once you understand the current picture – including what personal data you hold, why, who has access to it and how it is currently being stored – it’s time to review your processes and policies (if you have them!).

If you don’t have a data protection policy or IT policy in place yet, then it’s the perfect time to introduce them. Even if you’re a small business, these are important – not only for GDPR but also to protect your business.

It’s about securing your data, but also having an ongoing process for keeping that data secure and making sure your processes are up to date.

At Dragon IS, we work with small to medium sized businesses to help them understand the implications of GDPR and also what their options are when it comes to IT security. What teams often don’t realise is that there are some easy steps you can take to bolster your data security, without breaking the bank.

Here are some examples:

• Make sure your network is protected from attack by using a robust firewall that is monitorable.
• Use relevant anti-malware software to prevent these types of attacks.
• Reduce the use of removable media and make sure you scan removable media like USB drives before using them. If you backup and store data on USB drives, then protect those drives with encryption.
• If data is used, accessed or stored on company laptops, make sure you secure your laptops using drive encryption and end point protection.
• Manage user access to sensitive data and make sure you know who has access to privileged data within your organisation.
• Use platforms such as WhatsApp, which have end-to-end encryption.
• If you are working remotely, ensure that you use a VPN or SSL encrypted means of accessing sensitive information.

Free GDPR consultation

At Dragon IS, we know that understanding and complying with GDPR may seem like an impossible challenge, especially when you’re a small business with limited time, money and resources available. We can help.

We can support you to create a GDPR framework that ensures both the data you hold and your wider business operations, are protected and as efficient as they can be, and also that they can grow with you.

If you want help cutting through the jargon and to feel confident that you have everything covered, then why not have an informal chat with our team. As a first step, we are offering a free GDPR consultation.