Many of our customers are similar, fast-scaling SMEs. Many are in the tech sector as well. Reflecting on attaining ‘readiness’, we thought we’d share our thoughts and experience of the good and bad points of recent ISO27001 and GDPR processes we’ve undergone. First, some fun!
You’ve read 5000 thousand GDPR emails. (And received 20,000) So, what did GDPR mean for you?
The GDPR part of the process wasn’t that painful. Well, maybe a little. We approached it with a ‘treat others’ data how we’d like our own to be managed‘ approach. We think that’s the spirit of the regulations anyway.
Our sales and marketing team are happy enough that the mailing lists are lighter and filled with more engaged leads. We shed some unnecessary and, no doubt outdated, contacts.
As an HR software solutions provider, we have to do a lot more than comply with GPDR. We’ve been preparing for an audit on the latest, enhanced IS27001 Information Security standards too. A lot of this standard overlaps with ISO 9001 in terms of physical infrastructure. It’s quite a heavyweight process and requires a lot of time and resources throughout the organisation. ISO 27001 covers GDPR – and beyond – too, so it was quite intensive at times.
One of the most interesting aspects of recent compliance obligations was reviewing our internal systems.
We have an agile approach and found ourselves considering a consolidation of our ‘stack‘ of systems – that allows easy and fast swapping in and out of tools we need – to (pricy) Solutions that encompassed wider functions and ‘silos‘ in the business. Made sense in many ways but these catch-all solutions are often a little half-baked in some respects. We had to be strict with ourselves and not stray too far from our original philosophies and culture embedded in the company.
We had to look deep and address all the supplier credibility and compliance standards required without compromising our levels of productivity and service delivery. We’re in the BizSpark Microsoft Azure program, so their ISO status is clear and complete. Peripheral tools needed some closer examination.
We’ve found that what you need to do is simplify systems rather than consolidate them. By that we mean, be aware of what data you hold and where.
So if you need to fulfil a data request, for example, you can access information rapidly and easily. And can trim it down or delete it diligently if required without worrying about whether you have left an instance of data in one system or the other. It doesn’t necessarily all have to live in ‘one bucket‘ if that compromises your wider purpose.
The influx of new customer enquiries about GDPR was quite considerable. Some prospects we met looked like they’d been chased by zombies they were so bewildered by it all. We noted that the level of public awareness was very low and in some cases panic and misinformation very high. Unnecessarily so.
There were a lot of sharks selling fear and the wrong information out there. Still are.
Like many, we attended numerous courses, seminars and events, engaged consultants etc. And like many, we found that consistency in information was low.
We found it unsettling that many of our customers were diverted from doing what they do best and no doubt saw productivity levels drop. Many had not budgeted – and could not have – for this process.
We don’t like to sell on fear, so we didn’t capitalise on terrorising clients into buying systems they were unsure were fit for purpose or not. Or affordable. Many prospects who approached us in the last few months needed a hug and a cup of tea more than another sales pitch.
Compliance has its place and is completely necessary for many industries, such as our own. But we were staggered at the low level of consistent, clear communication of information – and feel for many small business owners.
GDPR was/is probably the first big compliance obligation to hit every business. But is this level of restriction overly prohibitive? Are these regulations designed to protect the big boys and snuff out the fire of the excellent disruptors we see creating fantastic new products with radical new thinking?
There’s certainly an element of that it appears. Maybe not with GDPR, but certainly with more comprehensive standards such as ISO. Some early-stage companies will struggle with the extra obligations and costs required to compete.
The process itself or the policies you then need to follow are not the time-sucking, expensive part so much. The requirement to use systems that are of a higher standard is though, as these are usually a lot more expensive.
So you need to tweak a few things here and there to comply – but suddenly all your suppliers need to have this higher level cert or that accreditation. Which all adds up for startups and small teams.
If you’re still not ready, the key is to not panic. Step back and be objective:
The world didn’t end at midnight in the year 2000. It won’t end on May 25th 2018 either*. (We hope! If it does, it’ll probably be more Global Defence Posture realignment-related than General Data Protection Regulation causation.)
So. Stay calm. Keep perspective. Don’t get too distracted. Be aware of being mislead. Treat others as you’d expect yourself. Keep it simple!