More and more I’m being exposed to the challenges which the small business faces with GDPR compliant.
Commonalities are that:
- They are using a LOT of cloud services which do not have GDPRfher-friendly approaches to privacy. One example is a headhunter which is using a service for their candidates, because they are small they are not given the option to choose where personal data is stored. In fact, in general small controllers are at the mercy of the processor.
- Small businesses are not following industry best practices, eg ITIL, ISO27x. This is not their fault, they probably haven’t had exposure to the benefits outside of associated costs. As a sidebar, this is a great place to start on your compliance journey, and no GDPR experts needed!
- Due to the fast that a single individual maybe doing the job of more than one person, business functions are not well defined, hence no business processes either. A business function will often contain more than a single process, this means no ownership is assigned to personal data collected by a business process, because there is no business process owner.
There are loads more, I’ll post again on 😉