Addressing SME GDPR Misperceptions
With biggest upheaval in data protection regulation due to come into force in a matter of weeks, it is a concern that so many organisations – typically smaller companies – are not prepared. From a lack of awareness of the new customer data rights to the business implications of failure to comply and a mistaken belief that GDPR only affects marketing, Mike Cockfield, Managing Director at Khaos Cloud, explains the vulnerabilities that will be exposed in spreadsheet based data sources.
GDPR does not just affect Marketing
For those organisations that are aware of GDPR, and when it comes to small businesses they are in the minority, far too much focus is being placed on the marketing aspects of GDPR. Businesses are worrying about double opt-in requirements and making landing page changes in a bid to safeguard valuable customer and prospect mailing lists. But GDPR has an impact far beyond marketing; customer information is collected at every stage of the process, from sales to delivery and invoice.
The truth is that GDPR compliance responsibility should actually fall to an individual without any vested interest in the data. While smaller companies are not required to appoint a Data Protection Officer (DPO), it is recommended that an individual outside of sales, marketing or customer service handles compliance.
Companies need to stop labelling GDPR a marketing problem and recognise its operational significance.
There are a number of different aspects of GDPR that will cause huge problems for organisations reliant upon spreadsheets to record customer information. From the right to be informed to the right to access and the right to rectification, how can an organisation confidently respond to new customer rights under GDPR, when data is located across several spreadsheets?
Furthermore, this information needs to be provided electronically and within 28 days – what is the plan for locating and sharing this information and, critically, how confident is the business that every piece of data relating to that customer has been located?
Without systematically organised data, this is going to be tough. Even at the most basic level of compliance, if a customer requests to be deleted from a mailing list, it is not enough just to take the name off the spreadsheet. To meet GDPR requirements, the business must also be able to demonstrate a robust audit trail and that includes an entry on the system that explains why the customer has been deleted, by whom and when. Furthermore, it is essential to ensure that information is not accessible to be changed.
Customers will also be able to request information about how their information is being used: what automated processes are being run and how are profiling decisions being made? An organisation unable to respond to such requests will be wide open to both customer complaint and regulatory non-compliance. GDPR compliance requires a systematic approach to data management plus clear process documentation.
Financial Data Requirements do not Trump GDPR
It is easy to assume that HMRC’s requirements for the seven-year retention of financial information automatically out-ranks any European customer data requirements. But that is simply not true. Yes, financial data needs to be retained even if a customer has enforced the right to be forgotten; but it must be anonymised.
What is the for anonymising data, from delivery notes to invoices? How will it ensure none of this information is included in business reports, such as sales trends based on postcode analysis? Whilst it is possible to label a spreadsheet column ‘do not process’ and build in relevant macros, this is not a sustainable, long term model. If the business is being audited as a result of breach or customer complaint, the regulator will have concerns about such an ad hoc approach.
In contrast, a robust ERP solution should automate the entire process - from anonymising data to ensuring sales reports automatically enforce GDPR processes.
While GDPR is building on existing data protection legislation, the new scale of fine and the level of personal liability raises the stakes. Can any small business afford a fine in the region of 4% of turnover? GDPR affects businesses of any size – without the ability to anonymise data, to prevent data from being processed, and demonstrate how automated processes are being run, the potential business risks are unthinkable.