As GDPR approaches on May 25th 2018, many small business owners appear to be burying their heads in the sand. Recent research by the FSB shows that 33% of small businesses are yet to begin preparations for GDPR, 35% are in the very early stages and just 8% have completed preparations. Gartner even go as far to predict that by the end of 2018, more than 50 percent of companies affected by the GDPR will not be in full compliance with its requirements.
It is clearly too early to say who of those can guarantee ongoing compliance post watershed – some businesses think the new regulation won’t apply to them, with others thinking they can wait until the May deadline to take action. Oddly enough, some even think that GDPR won’t happen, or that the ICO will not follow through with the implementation of their heady fines matrix – they are wrong. GDPR applies to any organisation that processes Personal Data for citizens of EU member states, whether that company is based in the EU or not.
Companies must be able to demonstrate where their Personal Data came from, how they process it, and their legal basis for doing so. They must also meet strict guidelines for reporting data breaches and develop processes for giving customers the right to be forgotten. All regulations and requirements under GDPR are made more complex to manage, particularly when the majority of companies still manage data storage and flow in an unstructured way, relying on legacy infrastructure and static file servers that, unlike the Oxygen Digital Workplace, lack any kind of search or data indexing functionality.
Without exception, organisations must take steps towards compliance, or risk heavy fines. From May 25 2018, the ICO’s new fine structure will take effect, meaning companies that fail to comply with GDPR could attract penalties of €20M or 4% of global turnover, whichever is greater.
While the threat of fines is real, logic suggests that the ICO will exercise some leniency in the beginning. Large, high-profile companies are obvious targets and may be used to set an example. But don’t be surprised if the ICO also singles-out some smaller businesses, who have taken a devil-may-care approach to GDPR.
What is certain is, it’s time to act – not solely to avoid fines; GDPR is much needed and positive. Yes, it creates additional work for companies required to comply, but as individuals, we should all be for GDPR modernising the way our data is collected, held and processed in the new digital World. Ultimately, information security is key and GDPR is just one step to help bring certain companies in line and away from their dubious practices.
However, GDPR doesn’t need to be complicated, especially for small businesses. By now, we’ve all seen the ICO’s 12-step guide for compliance and that’s a great place to start.
Users of Microsoft Office 365 can use Microsoft’s free Compliance Manager tool to manage their GDPR compliance – the ISAAC team are expert in explaining the features and benefits and implementing this solution. Or you can go a step further and implement Oxygen Compliance Guardian, a comprehensive and secure automated tool that connects to your (multiple) data sources and applies pre-set rules to ensure that, once you have achieved compliance, you remain compliant, receive automated breach notifications and even go as far as deleting, redacting or anonymising data to ensure your compliance.
ISAAC create Digital Workplaces that manage everything from processes to people. The Oxygen application suite for Office 365 and SharePoint online is an intuitive, secure and scalable way to easily modernise the way you manage information, from where it is stored to how it is stored. Our approach is simple; human-centric applications, customised to suit your business, workflows and processes. Oxygen is today’s Digital Workplace, built into the Microsoft Office 365 cloud, providing a cost-effective, scalable and secure environment to manage, share and collaborate from.
You may also like: