How can SMEs best manage and adhere to data protection regulations?
Wayne Sedice, Strategic BI Consultant, PBT Group
For any SME, the starting point of a data protection strategy is understanding the general regulatory framework applicable to it. As this may differ per country, the SME must identify the general compliance measures pertinent to the geographic location where its business is located and also have regard to any industry specific requirements which may supersede more general requirements.
Only once that is done, can the data strategy be developed. For larger companies, data protection typically forms part of a greater enterprise data strategy while smaller entities would, as a minimum, seek to adopt and implement a data protection policy and adhere to prescribed compliance standard. A key part of an SME’s strategy is to consider the various avenues of support best suited to its available resources and strategic direction when it comes to data management and protection.
In South Africa the Protection of Personal Information Act, 2013 (POPIA) has a defined list of eight processing conditions that companies must adhere to. Each of these reflect certain guidelines and requirements. For example, within POPIA there is a ‘Further Processing Limitation’ condition that ensures information is collected from a data subject and is used for a specific purpose, not for ancillary reasons unrelated to the original purpose of which the information was collected. So, if an SME intends to use personal information to upsell to clients, this intent must be reflected (with a clearly stated opt-in or opt-out election) when it comes to collecting the information during the original request stage. These eight processing conditions cannot be disregarded and must be front of mind when developing the broader data strategy.
When the strategy and policy has been developed, implementation should become the SME’s highest priority. Change management becomes critical in this regard, especially when it comes to the business creating a data-driven culture. This is where role players in the organisation should take ownership of data initiatives, ensure the integrity of the data and support the organisation in deriving value from the data.
Unfortunately, many companies still struggle to appreciate the importance of establishing a data culture and fall short of embedding it within their data protection approaches. A mindset change is the most fundamental part of effectively managing data protection for an SME. It is one thing to understand the regulatory framework, how the company should adapt to protecting data, and selecting the correct toolsets to enable this. But if there is no buy in from both management and colleagues, then the necessary level of protection will not be attainable.
These recommendations take into account extensive feedback from several sources ranging from heads of data governance to business analysts. These are the practical realities facing SMEs today who want to keep in line with evolving data protection regulation.