GDPR was data protection’s biggest shake-up in 20 years. While putting control of their personal data back in consumers’ hands, the EU’s General Data Protection Regulation also gave regulators the power to levy hefty fines for serious leaks or misuse.

If you were compliant on day one, congratulations – but don’t sit back and breathe easy. Compliance is an ongoing process for even the smallest SME. The rules may be less onerous if you have fewer than 250 employees but you’re still obliged to handle data in a transparent manner, and notify the ICO if you suffer a breach that could pose a threat to a citizen’s rights and freedoms.

getty 151327363 01 v1

What does GDPR concern?

If the records you hold identify individuals, they’re personal – and subject to GDPR. Customer orders, personnel files, and IP addresses gathered by your website all fall within its realm and, as such records accumulate over time, you’ll need to regularly reassess your position to make sure you stay legal.

Almost six months on from implementation, you should already have published your privacy policy, removed any pre-checked marketing opt-ins from your web forms and, for the most part, made sure that subjects appearing on any third-party lists you’ve bought really are happy to hear from you.

There’s no way around the first two requirements, but GDPR does permit the defence of legitimate interest. This allows you to process data as part of an ongoing business transaction, so should cover updating personnel records or notifying customers of product recalls. Depending on the provenance of your lists, it may also justify sending new contacts relevant information.

What it wouldn’t excuse is a data breach.

Responsible parties

To avoid buck passing on this account, and help businesses understand where their responsibilities lie, GDPR defines two new entities: data controllers, who determine what needs to be collected and how it’s used, and data processors, who carry out the controllers’ wishes. Supplementary to these, it also identifies data subjects, which are the EU citizens whose credentials are being gathered and stored.

If you’re using a third-party newsletter distributor, hosted Exchange server, or cloud-based accounting system, you’re one of the many SMEs that contract out part – or all – of their data processing role. This is perfectly acceptable if you’re using a reputable service like Mailchimp or Office 365, as you can be sure that the “processor” is complying with their obligations to track where the data is coming from and record how it’s being used.

But what if you also use an external bookkeeper or recruitment agency? As the data controller, it’s your responsibility to make sure they were legal when appointed – and that they stay that way for as long as you carry on using them.

Don’t panic

Any SME that’s a worthy custodian of its customers’ data will already have done much of the work required – but it doesn’t stop there. Staying within the bounds of GDPR is an ongoing process, requiring regular audits, comprehensive documentation of your data-handling practices, the maintenance of a privacy policy, and designating a contact who can action any removal requests.

On a more practical level, encrypting third-party personal data is a must. Dell Endpoint Security Suite Enterprise offers policy-based protection for different types of data, allowing you to tailor your organisation’s implementation to exactly meet its requirements. For smaller organisations, Dell Encryption Personal offers the same level of protection, but re-engineered for individual deployment. Safeguarding both the system drive and external media, it gives businesses peace of mind that, wherever their employees are working, their customers’ data is safe.

Explore Dell’s dedicated Data Security hub to lean how you can best protect your data, prevent threats and manage endpoints throughout your organisation – and stay on the road to GDPR compliance.