How should you manage GDPR on an ongoing basis?



GDPR is data protection’s biggest shake-up in 20 years. While putting control of their personal data back in consumers’ hands, the EU’s General Data Protection Regulation also gives regulators the power to levy hefty fines for serious leaks or misuse.

If you were compliant on day one, on 25 May 2018 when GDPR became enforceable, congratulations – but don’t sit back and breathe easy. Compliance is an ongoing process for even the smallest SME. Indeed, many SMEs are still in the process of becoming compliant. A recent study by the Data & Marketing Association found that in spring 2020, just 10% of UK SMBs businesses were fully compliant, with 25% only in the early stages. 65% were only halfway or three-quarters of the way there.

The rules may be less onerous if you have fewer than 250 employees but you’re still obliged to handle data in a transparent manner, and notify the ICO if you suffer a breach that could pose a threat to a citizen’s rights and freedoms.

What does GDPR concern?

If the records you hold identify individuals, they’re personal – and subject to GDPR. Customer orders, personnel files and IP addresses gathered by your website all fall within its realm. As such records accumulate over time mean you’ll need to regularly reassess your position to make sure you stay legal.

Three years on from the regulation going live, you should now have published your privacy policy, removed any pre-checked marketing opt-ins from your web forms and ensured that anyone appearing on third-party lists you’ve purchased, genuinely want to hear from you.

There’s no way around the first two requirements, but GDPR does permit the defence of legitimate interest. This allows you to process data as part of an ongoing business transaction, so should cover updating personnel records or notifying customers of product recalls. Depending on the provenance of your lists, it may also justify sending new contacts relevant information.

What it wouldn’t excuse is a data breach.

Responsible parties

To avoid buck passing on this account and help businesses understand where their responsibilities lie, GDPR defines two entities: data controllers who determine what needs to be collected and how it’s used, and data processors who carry out the controllers’ wishes. Supplementary to these, it also identifies data subjects, which are the EU citizens whose credentials are being gathered and stored.

If you’re using a third-party newsletter distributor, hosted Exchange server, or cloud-based accounting system, you’re one of the many SMEs that contract out part – or all – of their data processing role. This is perfectly acceptable if you’re using a reputable service like Mailchimp or Office 365, as you can be sure that the “processor” is complying with their obligations to track where the data is coming from and record how it’s being used.

But what if you also use an external bookkeeper or recruitment agency? As the data controller, it’s your responsibility to make sure they were legal when appointed – and that they stay that way for as long as you carry on using them.

Don’t panic

Any SME that’s a worthy custodian of its customers’ data will now be aware and compliant with GDPR, having done the work required – but it doesn’t stop there. Staying within the bounds of GDPR is an ongoing process, requiring regular audits, comprehensive documentation of your data-handling practices, the maintenance of a privacy policy and designating a contact who can action any removal requests. The ICO offers a free advisory check-up service to assist with these things.

Still on a practical level, encrypting third-party personal data is a must. Dell Endpoint Security Suite Enterprise offers policy-based protection for different types of data, allowing you to tailor your organisation’s implementation to exactly meet its requirements. For smaller organisations, Dell Encryption Personal offers the same level of protection, but re-engineered for individual deployment. Safeguarding both the system drive and external media, it gives businesses peace of mind that, wherever their employees are working, their customers’ data is safe.

Looking for Servers, Storage & Network Solutions that will help you stay GDPR compliant? Dell’s Technologies Advisors can help.