GDPR preparation: Top tips from businesses and what you need to do now

With the implementation of the General Data Protection Regulation (GDPR) only a few weeks away, businesses such as yours are waking up to the fact that they need to make changes to their processes.

As a business owner, it’s likely that your firm will store a lot of personal data, be it from your customers or employees, so you will need to put a GDPR preparation plan in place and change the way you process and store it.

As businesses prepare for the GDPR, we asked a selection of our Sage Business Experts – business owners, accountants and entrepreneurs – to reveal what steps they are taking to get their firms ready for the new legislation.

Meet the experts

Antonia Chitty is an author and entrepreneur, Alison Parsons is an accountant at accountancy firm Albert Goodman, Keith Tully is a partner at Real Business Rescue, Steve Johnson is the owner of Graphite Web Solutions, and Nicky Larkin is the managing director and founder of Goringe Accountants.

Here’s what they had to say and here’s their advice that will help you in your bid to be GDPR compliant.

On the topic of GDPR preparation, what steps is your business taking to get ready for it?

Antonia Chitty: “We have been looking at how we hold data, the contracts we have with suppliers who might handle data, and the privacy policy on the websites we run.”

Alison Parsons: “Internally, we have been working on this for some time, with dedicated staff taking charge of the process. With a lot of clients in our client base, we had to start early, especially where client response is required, for example on marketing preferences.

“Externally, we have been posting on social media and forwarding on relevant sensible advice from other LinkedIn contributors. We have also joined with other local professional firms to host free events for local businesses.”

Keith Tully: “We have created a steering group/committee that includes senior management, legal, various team leaders and appointed an information security officer to take the business through the GDPR process. The group/committee will be responsible for identifying the risks within the various parts of the practice that include IT, HR, marketing and, of course, the client side.

“The outcome of the findings will determine what actions are taken, be they through the implementation of new IT software, policy creation or education. GDPR also runs very closely alongside cyber security, which is a very big topic, so we are looking at both of these together.”

Steve Johnson: “As a web agency, Graphite Web Solutions was already aware of data protection requirements and has been preparing for the new rules since late 2017. The steps we have taken are:

• Preparing those on our mailing lists for GDPR using our weekly hints and tips email marketing from January 2018.

• Reviewed existing customer information we hold and existing documentation for control of that information and updated the process to meet the new requirements.

• Advised those on our mailing lists that we will be removing them from our list and will be asking them to review and accept our data protection policy if they wish to be added to our new GDPR ready mailing list – this will be completed by the end of April.

• Prepared information for all our paying clients to email them individually to advise them on the info we will hold and retain for six years for accounting purposes.

• Developing a support package for our website clients to help them with their compliance should they need our support.

• Liaising with Adobe Business Catalyst who own the content management software we use, including the email marketing, as they will be ensuring they are GDPR compliant.

“Finally, we are keeping up to date by watching GDPR webinars and attending events to ensure we are covering everything.”

Nicky Larkin: “We have had GDPR on our compliance roadmap for quite a few months. We looked at some of the basic requirements and saw that to make sure we were properly compliant, we wouldn’t have the bandwidth to do it, so we assigned a project manager within our team to own it.

“We also decided to appoint external consultants Libreea to assist us with it. We started off with a scoping exercise with Libreea to see what the current state of play was and to see where we already had things in place and where we had some gaps, so we could roadmap ourselves to make sure we’re compliant in time.

“And on that roadmap, we’re putting in place a project plan to make sure everything gets completed by the deadline.”

What challenges is your business facing with GDPR and how are you solving them?

Antonia Chitty: “I think the key challenge has been taking on board the information: there are almost too many articles out there trying to hold the key to what each business does and it’s easy to get overwhelmed. In fact, it was less complex than it at first appeared.”

Alison Parsons: “Careful planning ahead is a great help but we also needed to ensure that all our own staff understood the key principles, so they could raise awareness with their clients and the wider business community in good time.

“We are still finding some businesses don’t appreciate that the changes don’t just apply to larger businesses – everyone needs to take a look at the basic guidance from the ICO and assess what actions they need to take as soon as possible. They have some really simple free guides to get your business on the right track.”

Keith Tully: “GDPR along with cyber security will no doubt throw many businesses into a panic, especially if nothing has been done at this stage being so close to 25 May. I suppose the obvious answer would be the audit of data that is held by each business.

“Of course, this would be relative to that particular business depending on the size and structure but then there is the added issue of possible extra financial outlay for resources, which will be a big factor for many but our main concern will be the cultural changes that need to be made to current working practices.

“There needs to be a clear understanding across the business of what GDPR is and the changes that it will bring. We will be rolling out workshops and other training materials that will help people understand GDPR, the adjustments that will be made and how each person can help the business to ensure we are compliant. In short, education.”

Steve Johnson: “The main challenge internally is the review of our existing process to ensure it is up to date. While introducing GDPR may reduce the number of businesses we market to, it is actually a good thing as we don’t want to pester businesses with marketing that don’t want to receive it – much better to be marketing to a smaller list who may be interested than a large list who are not interested.

Nicky Larkin: “Externally, the main challenge is helping our clients understand what they need to do to be GDPR ready. By explaining to them what info we hold about them, and how we will control it, will help them understand the new rules more. This is key as we help our clients with their marketing and hence are taking responsibility to ensure they are GDPR compliant.

“The challenge is ensuring we cover all of the numerous industries in which our clients operate as well as their customer base and how they interact. As we know our clients well, we can help ensure they are compliant.”

“There’s a number of challenges with GDPR. The first is because it’s a new requirement, we need to make sure that we know exactly what is required and we’re working with people who deal with and understand what is required from the new legislation.

“The second challenge is we’ve got lots of other compliance requirements that we’ve always had as an accountancy practice, so all projects are competing for time. That means need to make sure we have adequate time to make sure we can implement the GDPR properly.

“Thirdly is the challenge of finding the right resource and dealing with the cost – whether it’s done internally or externally, it’s still an investment to do this.”

What one piece of advice would you give to businesses that are struggling with their GDPR preparations?

Antonia Chitty: “Go to the ICO and read their checklist, then work through it.”

Alison Parsons: “Don’t wait! If you haven’t started preparing, check the ICO’s 12-step guide, detailing the rights that every individual will have under the new regulations. The new rules will come into force this May and while fines may not necessarily always be imposed, the potential reputational damage to your business from being found in breach of the regulations may prove a much bigger incentive for compliance in the long term.”

Keith Tully: “Don’t panic. There is a wealth of information to help you and your business prepare, much of which is completely free. Each business is different and there isn’t a one-size-fits-all solution, so a good start would be to research what you need to do now.

“The ICO website is a great place to start; it has in-depth information and numerous tools to help you on your way. Also speak to your legal representation – they will be able to help you with policies and ensure you are compliant from a legal standing. The main thing is to act now and demonstrate that you are actively doing something.”

Steve Johnson: “Don’t panic but also don’t ignore it. There is plenty of information out there on the internet – probably too much so. The ICO website has a great checklist for data controllers that should help businesses step through the questions you need to consider. Note, you don’t need to have a data controller post, just someone who is responsible for the personal data your company holds.”

Nicky Larkin: “To my clients, there are two things that I’ve been recommending. Firstly, check to see if they are part of a professional body or a sector body. For example, the National Hairdressers’ Federation has got a really good GDPR roadmap for hairdressers. Check with them to see if they’ve got some good shortcuts for your particular sector.

“And the second: if you realise GDPR is going to be a big requirement for your business – and obviously it’s tight now because of the deadline – use an external consultant. Somebody who knows what they’re doing so you do become compliant in the time.

“Use it as an investment, then use it as an extra thing when you’re selling, trying in some way to get money back from it, showing that you are professional and compliant. And being compliant means you are able to sleep at night.”

What GDPR preparation plans have you got in place for your business and how are things coming along? Let us know in the comments below.