GDPR – Is there still a mountain to climb for many small businesses?

With Brexit sucking all the oxygen out of the room as far as the country is concerned in the last year, it is understandable that data protection has taken a back seat after its great fanfare in May 2018. However, the threats to information security haven’t gone away. So, what’s been happening out in the real world of small business? Are they getting their act together now or is it still confounding them in the same way that Brexit is doing for our MPs?

1. Lack of publicity about GDPR

I have to say that I think the publicity about GDPR was a slow-burner.  I don’t recall a big national advertising campaign similar to what HMRC do, reminding the self-employed to submit their annual tax returns. Once the word started getting round and the May 2018 deadline got closer, companies up and down the land suddenly woke up to the seriousness of it and sprung into gear by bombarding us with all those consent emails we grew to hate.

This late push suggested to me that many businesses were probably forced to rush through their preparations not only because they had left it so late, but they had to demonstrate they were at least doing something to comply with one of GDPR’s core principles regarding fair and lawful processing. It was a relatively quick, but important win. However, if we were to scratch deeper under the surface to see what firms have done in the ten months since, I suspect that for many the momentum may have been lost. So why might that be the case and what can SMEs do to get back on track?

50% of respondents still confused about privacy regulations

2. Access to sources of information

Thanks to the internet, the resources out there to help navigate the GDPR jungle are vast. Just Google “GDPR” and you’ll get dozens of links, many of them for private businesses offering you anything from GDPR management systems to consultancy services. But which resource do you go to? Which source should you trust? Should you just outsource this project to someone else? How much can you afford? How much do you already know?

In late 2018, a survey by AON plc revealed that 50% of their respondents were still confused about data protection and privacy regulations. If this research were representative of SMEs throughout the UK, this would apply to 2.8m organisations [1]. A worrying figure when you consider that SMEs (firms with fewer than 250 employees) account for 99% of UK businesses.

In my opinion, the Information Commissioner’s Office website (https://ico.org.uk) should be the de-facto resource for anything to do with data protection and data privacy. As the UK’s supervisory authority they ensure data protection compliance within the UK, give advice and guidance to individuals and businesses alike and have the power to impose those headline grabbing fines we often hear about in the media. They publish lots of free resources such as downloadable templates, interactive checklists, online videos, etc, plus you can even sign-up for their monthly
e-newsletter and get all the latest news delivered straight to your inbox.

However, it is this breadth of information which can make it abit of an uphill struggle for the novice. You may possibly get overwhelmed simply because there is just so much information available, but don’t let that deter you. Fortunately, the information is structured logically and takes you through step by step. Other useful sources of information include the Federation of Small Business (https://www.fsb.org.uk/) and the Confederation of British Industry) (http://www.cbi.org.uk/). If you operate in a particular sector or industry I would suggest you try its professional body or trade association to check what advice they give for businesses in your sector. On this basis, a lack of information about what GDPR means should not be a valid excuse for inaction.

GDPR is challenging to implement because it is complex

3. Difficulty applying the rules

Having grasped the basics, I think the greater   challenges often lie in applying that knowledge in a practical way. What changes do you now need to make to your business processes and systems? Let’s be frank, data protection can be a dry subject for a lot of people. You can sometimes see people’s eyes glaze over just at the mention of data privacy. Don’t forget, there’s more to data privacy than just GDPR, there’s the updated Data Protection Act 2018, PECR (Privacy and Electronic Communications Regulations 2003) as well as the Freedom of Information Act 2000. All in all, that’s a lot to get your head around. But back to applying the rules in real life. It is challenging because it is complex. It takes focus, it takes time and it takes resource. To do it properly you need to analyse the data flows across your whole business. If you are lucky enough to have staff in-house who have the experience and skills necessary to do this kind of analysis work then half your battle is won, but make no mistake, for most people it will not be easy. Implementing the changes necessary and gaining acceptance within the organization is the final piece of the puzzle. Management level buy-in is critical to success. If the managing director does not take it seriously and openly flouts the rules, or is openly cynical about the benefits of the safeguards being introduced, the likelihood of success of this project are low. Are you the lone voice in the wilderness banging the drum to improve data security or are you the cynical manager that thinks it is all too onerous and that cyber criminals are only interested in the information assets of the big boys?

When developing your policies and processes, test how effective they are by working through possible scenarios to see how your people and processes would actually deal with them. For example, would you know what to do if you received a subject access request (SAR) from the aunt of a client of yours who says she gives her permission for her data to be shared with her nephew? You’ve contracted a design agency based in Singapore to re-design your company logo. You have to email them copies of your existing image files so that they can work on the new version. Does the design agency have to comply with the requirements of GDPR?

4. It’s all about the tech now isn’t it?

Another challenge is that data security and IT are now inextricably linked. Like it or not, technology has permeated practically every area of our working and personal lives. After all, GDPR is the EU’s effort to bring data privacy legislation right up to date to accommodate technological advances like the internet, mobile communications, social media etc.

Data controllers have an explicit obligation to keep people’s personal data secure. For some, this may mean focusing on physical safeguards and controls such as lockable cupboards, door access control systems and so on, but for most modern businesses, their critical business data is held in electronic form on a server somewhere, be it onsite or in the ubiquitous “cloud”.

Don’t assume that all your threats are external

I cannot talk about data protection without mentioning encryption. Encryption helps to ensure that individuals do not gain access to read or change data they do not have permission to. Don’t forget – keeping data secure under GDPR means preventing unwanted deletion or amendment as well. Don’t fall in to the trap of assuming that your threats are mostly external, look internally as well. Your own staff could be malicious actors. Have you suspended the login account or changed the password for that member of staff that left 3 months ago yet?

Many data breaches are due to human error and using human error whilst using email is one of the biggest risks. How many times have we heard of an incident where someone has mistakenly sent a confidential email attachment to the wrong recipient or used the CC field instead of the BC field? It is so easily done. What can a business do to reduce the risks around email? Products such as Egress Switch, Tessian and Microsoft Azure to name but a few, all offer varying levels of email security and encryption but none of these services are free and no system is 100% effective at protecting you. Therefore, you have to weigh up the cost against the risks. If you are not comfortable in the IT arena yourself, consider getting assistance from IT specialists or a managed IT service provider. They will often have a breadth of expertise across a wide range of areas which means they are likely to have customers who have broadly the same challenges as you.

[1] Based on BEIS, Business Population Estimates there were 5.7m SMEs in the UK in 2018