Actually, GDPR is not as big a deal as you might think. Don’t make the mistake of focusing all your attention on this particular piece of European legislation – you might needlessly neglect the parts of your business that really do need your input.
So what do I need to do?
You can avoid getting bogged down by GDPR by realising that it only requires three simple steps:
- Recognise the personal data collected, used and managed by your business,
- Organise relevant storage of those personal data,
- Ensure the data remain protected.
It’s just common sense
Recently I have worked with many small businesses on their GDPR compliance. Most of them discovered that they already had a procedure in place that they could re-use and adjust for GDPR, even though it was neither official nor in writing, and its original objective was simply to protect their business.
If you think about the process you have for deterring ex-employees from stealing the client database on their way out of the building, or your company’s method of stopping fraudsters by requesting several levels of identification before access is granted to your server, you’re in the right ballpark. Those are processes you can use.
Expanding your scope
To comply with GDPR, the objectives of most businesses simply need to expand slightly, to include the protection of stakeholders as individuals.
First of all, your employees should be reminded of their obligation of confidentiality and loyalty. If you do not have a confidentiality provision in their contract, you need to add this element – particularly if you do business with self-employed people.
Then you can adjust your internal procedures. For instance, you could put in place access segregation so that your employees can only see the information they need for their own projects.
Once you have all the safeguards in place to ensure most of your stakeholders use your procedure, you need to ensure it is properly followed by everyone by putting in place regular controls.
Hiring ethical executives
Recognise, too, that there are very few safeguards that can be put in place to segregate data accessed by top executives. Indeed, executives need access to all company information to understand the constraints their organisation is evolving within and to take the appropriate decisions.
Top executives will always have to show the way – organisations rely heavily on their ethics. Particular attention should therefore be paid to extensive due diligence at the recruitment stage to ensure that your future executives’ ethics are in line with those of your organisation.
And that’s probably all you need to do to be compliant. Put your procedure in place, make sure it is in writing and that everyone is trained in it, then conduct random checks for control.
Is it rocket science? No – but it takes time. If you’re feeling pushed and need someone to do the job for you, just get in touch.