Getting Compliant With GDPR - What's The Verdict?

Published on: 21st June 2018

We've seen and spoken to hundreds of businesses over the first few weeks of the new GDPR legislation, and the feedback so far has been extremely interesting.

It's been plain to see that the tremendous marketing and advertising campaigns from the ICO, especially their headline on fines, have caught most people's attention. The tornado of emails whirling around during May, that tried to seek consent from people to be on various mailing lists, also affected just about everybody. The occasional #GDPRfail also attracted notice on the social media channels.  Plus we saw the increasing complaint about GDPR being a four-letter-word in many businesses and households.

As the dust has settled we've seen a variety of responses to the nitty gritty changes that are required by the new law.

At one end we've seen a handful of businesses flatly refuse to engage in any conversations about GDPR; some through simple lack of interest, and others through calculated risk taking. The latter have included a couple who have said a fine couldn't cost more than £x whereas implementing the necessary changes will cost many times that. While we fundamentally disagree with the approach, the economics of change are interesting, and on that basis alone, quite challenging.

At the other end we've seen a handful of businesses, who are already in great shape as far as data protection measures go, use GDPR to put the icing on the cake. They're already registered with the ICO, have DPOs in place, and now have adjusted their existing data protection documents to suit the guidelines in Article 30.

The vast majority are in various places on the journey towards compliance, and their experience is much more varied.

SMEs have a Mixed Experience of GDPR

One of the biggest side-effects of GDPR for most small businesses has been the realisation that not only do they need to check and improve their IT systems, but that they also need to address their staff training and data handling guidelines too. Most small businesses have little time for admin, needing to focus on production and service delivery to stay in business. The amount of additional research, learning and training that has been required to improve their data protection position has been a shock in many cases.

There has been a significant realisation among those that have started to really engage with GDPR, that this is a business-wide issue, and one that relies on staff to implement it. There have been several articles published recently describing the importance (and difficulty) of embedding data protection in staff teams. This is particularly sobering when 58% of reported data breaches are as a result of staff/internal errors / negligence or malice.

Similarly when exploring the security and resilience of IT systems many owners have discovered alarming weaknesses in their businesses. Disaster recovery and single-point-of-failure have been common in the themes discussed in forums and on social media. Many people have reported that they've realised that they had no backups in place, weak (or no) security, no rights management process for issuing login details to staff and visitors, and so on. These specific weaknesses have been uncovered as part of the internal auditing for GDPR.

Working Together to Support Small Businesses

#ukGDPRtogetherThis has been something we've been keen to address, and as a result have set up the #ukGDPRtogether hashtag on Twitter, to draw attention to the fact that all parts of the business community need to work together to address data protection goals. It's not just about software like PYXI for GDPR, it's also about training, HR,  employment contracts, service contracts, IT systems and more.

The current state of affairs is still very confused and confusing. There's still lots of conflicting expert opinion flying around, often masking a sales pitch, and the only guaranteed source of information is; however there is still much detail missing from the GDPR guidance for small businesses in particular. Even with the recent FAQs on their site, there are so many different, unique use-cases and questions that it's going to take a long time before everyone gets a firm fix on where they stand, and what they need to do.

Get Started with an Audit

In our view, the best first step (which echoes the ICO's advice) is to start to audit where you are now. Write it all up, warts and all. What you're doing, who you're doing it with, where things are, and so on. Map it all out and then think about whether the current practices can be improved. Our GDPR Software, PYXI for GDPR uses simple wizards to help get this first step started, and prompts you to look at things that might have escaped your attention. Once you have a clear picture of how things are, it's so much easier to develop an appropriate response to GDPR, and find the right people to help you to get it right.

PYXI GDPR Team: 21st Jun 2018 09:58:00