Get Cyber Savvy: GDPR and IT Security basics for SMEs

An overview of GDPR, IT security and tips on staying ‘hackless’ for small businesses.

Photo by NordWood Themes on Unsplash

As a small business owner, anything computer-related often can feel like a necessary evil — when they work, times are good, when something goes wrong, IT hardware and software can feel like a business-halting frustration. So here are some thoughts on how to sensibly plan ahead and deal with problems.

The General Data Protection Regulation (GDPR) is a regulation in EU law on protection and privacy in the EU and EEA. It also concerns data moving outside of this area and supersedes the big data laws that came before it. It applies to any size of enterprise and really aims to give individuals control over their personal data (no more selling of lists and bombardment of direct mail thank you!). For SMEs this means having a plan in place to tackle the processing, storage, collection, protection and removal of personal data. Personally, I am eternally grateful that the Mailchimp and Hubspots of this world help to satisfy these demands although they do not remove the responsibilities in law. To help give the regulation context for SMEs, are five easy steps to help.

Step 1. Audit what data you have, where it is kept, decide if you hold it as a data controller or processer and decide if you have a justifiable and legitimate reason for holding it.

Step 2. Analyse any areas of weakness and non-compliance in your data protection regime and plan out how you can address those areas of risk.

Step 3. Cleanse the data you have but don’t need. You may need to consider how statutory bodies may require you to hold data (tax information, product certifications, HR files etc.) but cleanse anything you don’t need to keep.

Step 4. Protect the data you are keeping. The regulation requires ‘any entity which processes personal data to have in place robust and adequate security systems for protecting personal data, which are proportionate to the cost of the such security and the nature of the data being processed.’ Do this and demonstrate what you did.

Step 5. Continuous compliance. Embed the principles of GDPR in your business and if you ever have an investigation take place, you will be able to demonstrate how GDPR applies in your normal way of operating.

Finally, a note on Brexit — come December 2020, there will be a change and the Information Commissioners Office will be responsible for keeping us up to date and in compliance from that point, so keep an eye out for updates.

IT security (for me, the protection of your business data across hardware and software and the storage and access of data) means three things.

1. Finding appropriate tools for your business. Look around and ask around. What do people running businesses like yours use and are they cost effective and right for you? I use tools such as Mailchimp, Hubspot, OneDrive and Dropbox and they all have robust security which meets my needs. If I was running a listed company, I’d almost certianly want more.
2. Backup your data. At some point, something will happen — you will be the victim of fraud, you will have your data compromised or similar and the best thing to do is to ensure that you have up to date, recoverable backups of your data.
3. Stay safe online . Be aware of the scams doing the rounds and remember that scams are becoming more convincing every day! Keep software and virus/malware checkers bang up to date with the latest versions. Change passwords regularly and make them hard to guess at. Use multi-factor authentication when you can.

The changing regulatory environment with regard to data protection and the changing software and hardware landscape make the challenges of running an SME and staying compliant very real. The tips in this article, I hope, will have provided some helpful ways to approach data protection for the sake of you and for your customers. Stay safe!