How as a Small Business We Became GDPR Compliant
By Tim Hughes | @Timothy_Hughes
There are a lot of articles on GDPR which you can find on Google. But not all of them agree. In fact, the confusion is tangible. Many people think they can sit out GDPR or it does not apply.
Bad move. As a lawyer friend of mine once said, “ignorance isn’t a defence in a court of law”. So here is how my business became GDPR compliant and what I, as CEO, have discovered on that journey.
For those of you who don’t know what GDPR is, it’s European legislation that covers data privacy. Having seen the number of data breaches recently it seems timely that we start being more responsible about data.
I, as a customer, want others to treat my data with respect. So as a business, it’s only fair we treat other people’s with the respect it deserves.
My GDPR journey
To explain, I’m the CEO of a small company, four people full time, with a total of 12 including Associates.
I went into the December board meeting expecting this to have been covered. In fact, I went into that meeting expecting to be able to put out a statement saying we were compliant.
It was agreed that we would take “baby steps”. After all, we all have day jobs.
The first thing we did was nominate a data officer. I’m a great believer in ownership and accountability. This person has delegated authority from me to implement what we need to be GDPR compliant. Either do the work or allocate the tasks. Either way, they are accountable to the board.
This role is required under GDPR regulations as an escalation point, by the way, so it seemed a good place to start.
The first thing this person did was actually take a step back and start at the bottom rung. Like most businesses, we handle personal information. After a few hours on the ICO (Information Commissioner Office) website they had a much better understanding of the obligations to be met under the Data Protection Act and they registered the business.
They then conducted an audit: Each system used by our business; who was the administrator; who had access. They then moved up to ‘swap access’ where people may have access through a personal email, to an official email.
This is a really good exercise in case people leave and we need to shut access or if we are acquired in the future.
Next we needed to understand if anybody held people data or customer data, such as passwords. Where was it (it can now only be held on our shared drive). We have restricted who has access to different parts of the shared drive.
Working through the challenge of BYOD
We have also created a deck that we rolled out at an all hands call so people understood their responsibility. It’s critical in a world of BYOD (Bring Your Own Device) that people understand what is work and what is personal.
It is also critical for us that people understand their responsibility for all types of data and that they know who to ask if they have any questions about use of personal information.
It sounds draconian, but we took a register of all those that attended. Anybody who didn’t cannot work with the data – or will have to be trained.
All customer personal data not relating to a current program or contract has been deleted.
Contact me if you would like a copy of the deck: firstname.lastname@example.org
I’m pleased to say that from our January board meeting we are GDPR compliant!
People who read this, also read:
Digital Leadership Associates: We are Global Social Media Management Consultancy. We do three things: Social Media Strategy, Social Selling and Social Media Management. Drop us an email or call one of our founders on 00 44 7823 534 557 and let’s talk about how we can make an impact on your organisation.