As a small business, it’s easy to fall into the trap of not documenting your privacy related efforts and activities. We get caught up in the day-to-day running of things and documentation is really the last thing on our mind. It is, however, vital to your efforts – because if anything goes wrong, you’ll need to show proof of what you have done to protect data.
If it doesn’t apply, document it anyway
In my lectures, I teach students that they should state something doesn’t apply rather than leaving it out. For example, I would ask for a PESTLE analysis in an assignment. This consists of analysing a situation using six headings – Political, Economical, Social, Technological, Legal, and Environmental. In some instances, students would analyse situations whereby a couple of the headings wouldn’t apply, and often they would leave them out entirely. To me as a lecturer and marker, this comes across as parts of the analysis being left out, and therefore incomplete, rather than the student’s intended approach. If a part of the analysis is not applicable, the student would simply need to keep the heading in and state that it didn’t apply.
The same applies to privacy. The laws state that you should do what is “reasonably practicable”, meaning that there are things that you can exclude from your privacy efforts – but you need to document why you’re excluding them. The regulator is in the same situation as a marker of a paper, they do not have the context of why you didn’t do something, so you need to be clear and explain yourself in a body of evidence.
Keep operating procedures
In a previous post, I mentioned the importance of Standard Operating Procedures – SOPs – in your business. I cannot stress how vital these are to your privacy exercises. If you don’t have a documented process, you are working in the dark as to how data flows through your business and have nothing to fall back on should something go wrong. Think about your consequences of a breach and how you would explain yourself to the regulator; “I don’t know where this happened” is a lot weaker of an argument than “this should never have happened, here is our process”.
Map your data and systems
Having lived through a breach in a past lifetime, I know for a fact that you need to know what data is where within your organisation. Figuring this out after the fact is not just a nightmare, it is a REALLY EXPENSIVE nightmare. Forensic investigations don’t come cheap, and can in a matter of days exceed tens of thousands of dollars / hundreds of thousands of rands. Knowing where and how things are stored in your organisation gives you comfort knowing that you can manage the fallout in the case of an incidents.
If you know what has been taken and who it belongs to, you can more easily contain the situation and only notify the customers that were affected. If you cannot work out whose data was taken, you’ll need to notify your entire client base – something that can ruin your reputation and your business.
It’s just good practice
The above, while related to data privacy, is really just good business practice. If you have SOPs, maps of your data, and protection in place, you are doing good business and should be applauded. Compliance is an effect of this, but the benefits are so much broader. It can also be a daunting task, particularly if you have been running for a while, in which case it may be in your favour to bring in a consultant to assist. How do you eat an elephant? One bite at a time.
Ross G Saunders Consulting is a niche data protection consultancy, working with a number of professional partners in order to help you as a business comply with data protection regulation. They help with business process, compliance, documentation and more, and can offer a full range of services to take the hassle out of data protection. Why not reach out to find out how they can help you gain a competitive advantage while simultaneously garnering support from your existing and potential customers.