It’s August 2018, three months since the General Data Protection Regulation (GDPR) came into force and your small-sized digital marketing agency has just received its first ‘right to be forgotten’ (RTBF) request.
As a marketing agency, your business model revolves around customer data. At the same time, you outsource your payroll, human resource management and pensions, along with your IT systems. This creates a convoluted data supply chain, which you will have 30 days to sift through to find and delete all records of that individual’s information – unless there is a competing requirement – or risk breaching regulations and potentially facing a damaging fine.
This is the reality that every business operating with EU citizen data will face in just over a year’s time and will be one of the most challenging elements of GDPR compliance.
The majority of small businesses have no mechanisms to record where data is sent or saved, let alone which data should be kept or deleted. Without the right processes or technology in place, finding just one individual’s information can take the time and resources a small business cannot afford to spare.
The first step is understanding the GDPR’s requirements and how these relate to any existing regulation you comply with. For example, you may be required to keep financial transaction data for a certain period of time. Or you probably have HR data, including payroll information which you keep and protect. Understanding the regulations and information you currently hold and how its protected is a great place to start towards GDPR compliance.
An information discovery audit
Once reviewed, you’ll be in a better position to conduct an information discovery audit to understand exactly where the personal data you hold can be found. Most of this information will be about employees, suppliers, or customers/prospects. Much of it will be in obvious places like CRM databases, however some will be more complex to locate, such as files that come from generated reports, which people keep on their laptops or file servers or in the cloud, on collaboration platforms. Easy-to-use solutions are available to perform data-at-rest discovery scans to identify files containing GDPR data – whether they are on laptops, file servers or cloud collaboration sites. These are all places where a RTBF request might require action.
However, the task becomes more complicated when taking into consideration the operations your small business has outsourced, such as the bank details sent to a payroll or pensions provider, the contact lists sent to a telesales company or even the order form you’ve shared with your logistics provider via cloud applications such as Drop Box or Wii Transfer. Even when the information goes outside of your organisation, this data is still your responsibility, so you need to know who you’ve shared it with so you can make a corresponding RTBF request.
Mapping GDPR data flows through email and the web, in and out of your business will allow you to develop an understanding of which organisations are holding your critical data. Ultimately, monitoring and scanning for critical GDPR information will highlight what you need to do to be compliant, what you are already doing and where there are gaps. Compliance requires three different areas to be considered:
People are an organisation’s biggest strength and biggest weakness. They make mistakes, store information in the wrong place, and use shortcuts which frequently puts data out of control of the IT department. Companies need to understand how their employees share information, and look at education or awareness programmes, or cultural changes, to plug gaps.
Processes and associated policies, are not just about preparing for a RTBF request, but also defining the action a business will take when it gets one. There are other processes which will need to be updated and introduced in order to become compliant. Becoming compliant is really about good data governance and reducing risk, such as limiting who can access and share certain information, preventing information from leaving a network and creating contracts with suppliers dictating how they may use personal data.
Technology can help GDPR compliance by automating manual data protection processes, enforcing security policies, providing visibility of data flowing in and out of an organisation and protecting both the people and the business. What’s more, adaptive security systems can be set up to automatically and consistently redact GDPR information out of any communications, based on policy, especially when it is leaving the organisation. This helps avoid human error such as an email to the wrong person, whilst also saving a company redesigning many processes such as applications that automatically generate customer reports.
How ready are small businesses?
Small business are one of the most at risk sectors when it comes to not being ready for GDPR. Many aren’t aware of how much it will affect them, assuming an attitude of ‘it doesn’t apply to me’, whilst others lack the knowledge or resources of their medium to large sized counterparts to implement an effective GDPR strategy.
However, by focusing on the right areas and prioritising with the right processes and technology, your business can be fully equipped to comply with the GDPR and that first RTBF request. Whilst it may seem like additional and unnecessary bureaucracy, there are rewards if you get it right. Most importantly improved trust with existing and prospective customers and clients, as well as any partners – a significant factor in the ability for a small business to grow. We have a year; if you’re not already prepared, today is the day to start the journey towards compliance.
Guy Bunker is senior vice president of products at Clearswift.