With less than 3 months to the new EU law on Data Protection – General Data Protection Regulation (GDPR) becoming an enforceable law across European Union countries, I have noticed that most of the available materials are focused on the race to compliance and what organisations needs to do. Good as these have been, as a consultant (www.the-administrator.org) from my conversations with SME organisations especially the not-for profit, many are concerned about the whole GDPR business especially with meeting the compliance deadline or at least working towards it. One can argue that they should have been getting ready for the nearly almost two years grace, but if you understand this sector (not-for profit) in particular, you will realise that they are mostly administered and managed on a shoe string budgets and volunteer personnel.
The main concern they have is based primarily on what is required to be compliant – data discovery, mapping, sorting, categorising, deleting, storing, and all the new Data Subject rights etc. Again, while one can argue that this should have been part of their operational ethos all along, the fact is there are many organisations out there who cannot boast of a “clean house” as far as their data is concerned especially in line with the GDPR regulations and expectation – and I am talking of big and large organisations. It is no surprise that the number of GDPR related job vacancies is very high because many organisations are in the same boat as these small and medium size companies especially the charities and other not-for profit ones.
However, what has compounded this concern for the SMEs is two folds. First, there are no quick fix solutions out there to get them ready for the deadline date. Most of the tools available on the market which are being touted are not primarily GDPR compliance tailored. Most of them are primarily based around:
- Data security
- Malware threat resistance
- Server activities monitoring
- Monitoring of interactions of other software on the servers and their impacts on the core business
- Cyber security
- Risk Management & Reporting
While all these are part of what GDPR compliance requires, they are not entirely devoted or aimed at speeding up the process of compliance especially for SMEs.
The second and maybe equal problem facing the SMEs is the financial implication of these tools. They are mostly capital intensive – like cloud based servers and such investment cannot be justified by the smaller companies without the potential bigger financial burden for them. For instance, a church with an average member of 300 and an annual gross income of £75,000 will never be able to afford a Cisco, IBM or any other major provider of some of these hardware and software needed for a GDPR compliance operation. Even where such cost is amortised, the financial burden will still outweigh the potential benefits to these organisations.
So, the questions are:
- Is there anything out in the market that can aid these SMEs in managing the GDPR compliance process?
- Is there a software that can be deployed to assist with:
- Data identification, gathering and sorting?
- Data mapping or data flow
- A software that will provide templates for:
- Gap analysis questionnaire
- Different policies that are easily editable to suit different organisations
- Vendor or 3rd party risk-assessment questionnaire etc.
- A simple stand-alone database software that can be easily and quickly deploy to handle all the data for onward in house management
- Cost – is there anytshing available to provide all these benefits at reasonable cost to the SMEs?
I realise the ICO’s website has wealth of information and ideas on what to and how to, but ultimately, these SMEs are still left with grappling with manual rather than automated system which may not put them in a compliance state come May 25th 2018. While it will get them on the way, the danger is that most organisations will abandoned the process once the date has come and gone which is not what is required or expected of them especially when they can only rely on volunteers to come in and perform these tasks for them. In summary, how can a manual process that can take between 3 – 6 months be speeded up via automation and be completed in a fraction of this time?
Just my thought!