Most of my clients are small organisations. This stands to reason, as larger organisations are more likely to have in-house data protection expertise in one form or another. For small organisations compliance can look terrifying - especially for those who have never formally done anything on data protection.
It can seem like there is a mountain to climb of paperwork and baffling terminology. Some look to the ICO website for help, see their accountability framework, and need a lie down (or a gin).
But it doesn’t have to be like this.
Scaling compliance to fit the organisation is very do-able. Yes, there are some essentials you need, but they don’t have to be complicated and you don’t need to buy expensive software.
The hardest part is getting started. But even that is manageable by taking it one step at a time. And leaning on your outsourced expertise to help you with the heavy lifting.
I find one of the first steps is always the data inventory (record of processing activity in GDPR speak). For me it’s the foundation stone of your compliance efforts and can work hard for you, multi-tasking to identify and cover a range of compliance requirements.
It’s often seen as a time-consuming paperwork burden. And it can be. But it mostly boils down to:
what data have you got?
what are you doing with it?
where does it live?
who else has it?
I have found the best way to manage this process in small organisations is to have a series of conversations with people from the different parts of the organisation. They tell me about what happens in their area, and I piece it all together like a jigsaw. I put it into a spreadsheet, and they check its accuracy. Very manageable and generally only needs an hour from each person.
Another way to scale compliance is to be realistic about what documents, policies and processes you need. Larger organisations and multinationals tend to have a dizzying array of compliance documents, but that often just isn’t necessary in smaller organisations. Policies and processes don’t need to be long and complicated.
Any compliance-related document will only work if people read it, use it and it achieves its intended outcome. Documents such as:
top ten tips for handling personal information;
dos and don’ts to keep information secure; or
checklist for handling requests from individuals;
can provide what your staff need to know on the key topics that matter.
You also don’t need to bring in a raft of new processes - I have found it far more useful to work with organisations to look at what they already do, and the ways they currently work, and slot in compliance-related points along the way.
For example, one small charity client I had needed a way to catch any new or different activities involving personal information, as the starting point for their risk assessment and compliance processes. They could have looked at a form for people to fill in, with an approval process. Or required staff to do a light impact assessment to see if more was needed. But these were never going to work as they would just add a paperwork burden to already-stretched staff. In the end, the most pragmatic and realistic approach was to add a fixed agenda item to the weekly team meeting for people to share news and ideas. It was then very easy to decide who needed to do what to move it forward, including to build in relevant compliance.
Another client was building an online platform, with different products and features. They needed to make sure that whatever they built, they could accommodate different compliance requirements, as well as user requests to make changes or delete their account. I worked with them to produce a development checklist, using the software and processes they already had, so that the compliance requirements were part of the baseline specs the dev team followed.
Ultimately, scaling compliance means making the legal requirements work for the organisation’s size, resources and risk appetite. And it’s not just about helping them set up their governance, but setting it up so they can easily manage it by themselves.
I have worked with a range of small organisations - some were charities, some start-ups, some SMEs. The smallest was a two-person start-up where data protection compliance was one of a long list of things that the two co-founders had to deal with. In all cases scaling compliance to fit them required creativity and innovative thinking. Even after 19 years in this field, there’s always more to learn and improve!
If you are a small organisation struggling to scale compliance, or perhaps struggling to even get started, get in touch, and let’s get you sorted.