Still struggling with GDPR? Here are some tips for SMEs

29 Oct 2018

Image: © bookphuket/

Privacy and data protection expert Barry Cook shares some useful advice for those still stumped by GDPR.

We have now crossed the 150-day mark of the European Union’s (EU) General Data Protection Regulation (GDPR) coming into force, and it seems anxieties are still prevalent across many of our industries, with recent business surveys revealing that up to 80pc of companies have not yet adhered to the GDPR baselines.

For businesses that operate within the EU or European Economic Area (EEA), or that employ or serve its citizens, the GDPR is a game-changer. It is a legislation that has revised the regulatory benchmark, upwards from the preceding Data Protection Directive, and that now binds enterprises, large and small, to a single rulebook.

Barry Cook, wearing a white shirt and black blazer smiling to the camera.

Barry Cook. Image: VFS Global

Extent of GDPR is not yet understood

But it is clear that the extent of the GDPR, and how exactly it will affect business culture, costs and operations, is yet to be understood – particularly among start-ups and SMEs.

In short, businesses of all sizes are required to take steps, and recognise their obligations, in respect of the new legislation.

Despite claims to the contrary, this process doesn’t have to be costly – it simply requires an appraisal of your procedures and, where necessary, bringing them into line with the new baselines.

At VFS Global, we handle and process millions of visa applications and citizen service applications per year. So, achieving compliance ahead of the introduction of the GDPR was challenging – but we got there, and so can you.

Based off our experience, I have identified a number of areas below that businesses, large and small, should consider on their path to compliance.

Identifying the information you hold on data subjects

This is the primary and most important area of the GDPR, and affects all businesses. So, even if you’re just starting out, you should be aware that you’re now obligated to map out your interactions with clients and customers, and to identify their data trails in your systems. This data will often pass through numerous processes, so you need to be thorough in mapping your workflows.

By doing so, you’ll not only demonstrate your organisation’s compliance with the minimum baseline for this area, but make your sourcing the data in the event of a subject request a much simpler task.

It’s also important to include unstructured web data – such as social media posts, profile images of customers, IP addresses of their devices, their geographic locations etc – in your mapping, as this falls within the reach of the legislation.

This guide from the UK ICO should be useful in providing a structured approach towards identifying where data may be found in your systems.

Determining lawful basis for processing

One major impact for businesses in the European sphere is that the GDPR compels them to demonstrate a ‘lawful basis’ for processing a set of personal data. The most commonly aired basis is that of consent. However, consent can be withdrawn or not given. Therefore, careful consideration should be given to your business model when deciding on the lawful basis that you will use.

An easy way of determining consent is to apply a ‘need-want-drop’ filter across your activity.

If you ‘need’ the data for a business activity and can’t run the activity without it, then avoid consent and look to another lawful basis such as ‘performance of contract’. If you ‘want’ the data, perhaps for marketing, then consent is a suitable lawful basis. If, however, you have or want the personal data but you cannot identify a lawful basis for processing on it, then you must ‘drop’ this data.

Adapting your business culture to achieve compliance

Organisational cultures will need to change as a result of the GDPR if enterprises are to avoid reputational damage and the financial costs associated with non-compliance. This should be a priority for all businesses, large and small, and will require developing a culture of transparency; both externally towards the client with respect to how their data is processed, and also internally with staff, so that incidents with personal data are escalated and addressed as quickly as possible.

In short, you will need to produce clear, documented records about how you store, secure and process data through your systems, as well as the steps you have taken to improve data sourcing and handling. There are a number of useful guides, including this one by the ICO, which examine data storage and training opportunities for staff.

The right of ‘erasure’ for data subjects

The most commonly known aspect of the new GDPR is the liberty it provides to individuals and their rights with regards to personal data. One of these is the right of erasure – otherwise known as the right to be ‘forgotten’. And, since this needs to happen within a short timeframe, on receipt of a request, it is imperative that you know where data is stored in your processes, and that you have procedures in place to source and delete it, quickly and effectively.

A lot of business software does not support the selective deletion of data, so, as you prepare yourself for GDPR compliance, this is an opportune time to have a discussion with your IT staff and see if and how the right of erasure can be implemented in your organisation.

It may be that you’ll need invest in this area and purchase products, or take steps internally, to develop automated workflows for triggering and confirming the erasure of data from multiple internal and external systems.

Illustrating how you store, safeguard and process employee data

The GDPR requires that consent is ‘freely’ given by data subjects. In short, this means where there is perceived to be an imbalance of power between the consenting party and the organisation, that consent will be deemed invalid – and, given the nature of employee-employer relationships, this would prove unworkable in some cases.

One such instance would be in the processing of employee financials, for payroll etc. Here, it is wholly reasonable for an employer to hold and process the data – and, accordingly, they should not have to establish ‘consent’ for each transaction. The same goes for processes that relate to the payment of statutory sick pay.

So, there are grey areas, and is thought that most businesses will be able to demonstrate compliance, across these two instances, by citing ‘performance of contract’.

However, there are other areas that are better defined, and that will require your consideration. One is how you store and transport the personal information you hold on your existing and former employees, especially if you are using a third party for activities such as payroll.

Files containing the most sensitive data should be encrypted, as a rule, and it is important that all staff are informed of your procedures, your data retention periods and your purposes for holding their data.

You can read ICO-based information on the employee-employer element to the GDPR here.

By Barry Cook

Barry Cook, privacy and group data protection officer at VFS Global, is a renowned international cybersecurity and data protection expert with experience in sectors such as banking, pharma and aviation.