Comms Business Magazine talks Andrew Stellakis, Managing Director of Lancaster based IT services company Q2Q about the opportunity that the GDPR affords businesses, the overlooked potential for compliance breaches and his Top Five GDPR tips.
Most SMEs are worried or indifferent about impending GDPR according to recent research commissioned by North West IT specialist and reseller Q2Q IT.
Comms Business Magazine (CBM): Why should businesses be embracing GDPR as an opportunity to make their data processes safer?
Andrew Stellakis (AS): Think about the way in which data is used, especially in marketing. Getting messages to customers and prospects involves volume and a lot of effort goes in to a scatter gun method such as email messaging. You are sending the same message to the same people which means you have a lot of data on people that you only HOPE to deal with one day but are unlikely to do so.
A benefit of the GDPR is cull that data base to just all the ‘opt ins’. You then have an asset which is a value to you. It means you can talk to these opt in users in a more structured way as this sub set of people are interested in ‘subject x’ That means you can confidently talk to them about subject x. You can have an honest reflection on the data base is and what its real value is to you. Before you know it you’ll get a real tight sub set of people you can talk to. Ongoing effort reduces volumes and the overall cost reduces making that effort far more rewarding.
We have carried out a lot of audits for companies where we encounter push backs from marketing staff that don’t always get this. They panic at the thought of the size of their database shrinking - typically by a third. However, when you look at the existing processes their marketing is a scatter gun and GDPR makes that a legal problem for the company.
CBM: DO you have examples of potential GDPR-breaching practices that companies might have overlooked?
(AS) The audits we undertake for clients are very enlightening. It’s not all about the marketing as often their GDPR exposure will come from their own staff. For example, keeping time and attendance records, details on staff medical checks for hearing and sight etc. Organisations must consider how they look after that data, how long should they retain staff records for as it is potentially high risk data.
Sensitive company data includes trade union membership - and non-membership and all data in that category must be processed in a manner to maintain security which in turn means keeping operating systems and firewalls up to date.
The top mistake we encounter is transferring sensitive data in an insecure way. For example, outsourcing the payroll. Here we see names, addresses, National Insurance contributions, and tax details all being sent outside the company via a standard email on a Excel spreadsheet – a violation of principle six of the GDPR. If you got email virus or sent it to the wrong person all that sensitive personal data is out in the wild and represent a big data exposure. Excel is the most common way of storing data – exported from £million ERP solutions so users must be aware of the dangers and not just sitting behind all the passwords you had to have in place to access that data.
Don’t forget, if you are unable to secure your data, and hold it for six years nor recover it – then that’s another breach.
CBM: So, what are your top tips for ongoing GDPR compliance?
- Make sure you are top of your operating systems and software updates.
- Antivirus – always run it and keep it up to date – this is not rocket science
- Be mindful of data stored on Excel – encrypt the spreadsheet before sharing it around the business.
- Operate on a lowest privilege first basis. Be especially careful of staff that move departments; say from account to sales. The more access some has the greater the risk.
- Understand where all the personal data in a business resides and then secure it.