With just less than a month to go until the new rather newer super version of already in Place Data Protection act EU’s GDPR becomes law, All Small businesses (SMB) apart from Large Businesses who already have systems in place are doing everything they can to be compliant. But this also means third parties are trying to get in on firms’ vulnerable positions, offering them help to be completely compliant by May 25th 2018.

Am I going to be Audited for GDPR?

Of course, the ICO may audit Small Businesses' compliance, and certainly will in the case of a breach, so it pays to be able to demonstrate that you abide by the legislation. So, the question becomes, how can you do this?

How can you establish GDPR compliance in your Organization?

There are a few different forms of proof Small Businesses can offer the ICO. These must all exhibit:

- Internal security policies and procedures that comply with the GDPR's core requirements - The implementation of the policies and processes into the organisation's activities showing proof - Effective internal compliance measures Small Business has taken - External Controls Small Business has implied

Most Importantly all of these would not only need to be just documented such as nicely drafted security policy but there would a need to be a series of record kept in organisation of how they were being carried out in actual to demonstrate compliance with GDPR.

Do You Really Need it?

But the bigger question is do small businesses (SMB) really need to sign up for the certification training Small businesses (SMB) are offering, or stump up the extra cash for a GDPR consultant to come in and turn their business around and make their life more difficult.

General opinion between security consultants is that it’s very unlikely the ICO (information Commission Office) will start triggering off fines the day GDPR comes into force on 25th May. It’s more possible the UK’s data regulator will take a softer approach as small businesses (SMB) come to understand their role and responsibilities.

Will You get any Warning before any Fine?

Although the Small businesses (SMB) that don’t comply are likely to be warned to do amendment in their ways by the ICO, with the worst offenders may probably being fined, there's little worth to all the scaremongering generated by those looking to profit from the incoming legislation.

Should You start preparing now rather than later?

Although it is a good idea to get involved and take some advice from a GDPR expert before the law comes into force. The ICO has said it will release a list of suppliers that can help (i.e., recommendations), but it hasn’t released this list, nor will taking any course automatically mean your organisation is completely compliant. It's also likely the ICO will set up its own certification bodies, but as of yet, none actually exist as of 25th April 2018.

These bodies will be able to issue Small Businesses with the certification that shows they comply with GDPR legislation for a period of three years before needing to be renewed. The EU explained this will possibly be called 'the European Data Protection Seal.

How ICO is going to determine and audit compliance?

The Answer is yet to be known but GDPR is considered as Holistic meaning you have to comply with all aspects of the GDPR Articles. But this still need to be cleared once the auditing starts.

While there may be still some discussion as to whether a GDPR policy is adequate but Past experience would suggest that the ICO requires full compliance with legislation and is very unlikely that ICO Auditing authorities will accept poor documentation or implementation.

It is very likely that firms suffering security breaches will be the ICO's first targets to do audit.

the ICO will measure compliance] by becoming aware of Small Businesses suffering from public breaches and auditing Small Businesses - especially those falling into the former category.

Let’s be practical as there will be a lot of non-compliance especially across SMB’s, which will be understandable. There will be some major problems such as security breaches, in which case the organisation's IT security and Data Privacy policies and practices will be scrutinised thoroughly.

What is the role of Data Controller?

Data controllers as defined by the ICO is a person “Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation”

He/she must be able to show they have established a data protection compliance programme and privacy governance structure in the organisation, as well as exhibit ongoing privacy controls in the organisation.

Controllers must also embed privacy procedures into SMB IT Security policies and everyday activities that concern personal data. Not only must they document in policy document their privacy measures and keep records of compliance, but they must train employees on privacy and data protection matters and test their privacy measures, using the results to improve their policies.

Should you go for GDPR Certification Schemes available in the market?

No, certainly not Don’t be fooled by the Certification Schemes as this will help you prepare for GDPR but certainly doesn’t make you certified but can help you be qualified as if you enter them for the purpose of gaining a certificate demonstrating compliance. As we revealed above, there are currently no bodies appointed by ICO authorized to audit and certify GDPR compliance for SMB.

Those that do exist may say their certification is valid for GDPR, but in fact, they're often based on the National Cyber Security Centre's Cyber Secure standard there is a chance that ICO may still declare you non-Complaint.

When Is ICO going to Provide Certification Bodies?

ICO intends to provide approve accredited UK bodies that can offer proper certification expected by spring 2018, just ahead of GDPR coming into force on 25th May 2018.

What is SMB Best Bet at the moment?

The best net for SMB is to get involved with GDPR. Start drafting their IT Security Policy and Data Protection Policy and Procedure. Alter the way they control and process personal information. Start sending consent confirmation to users. Consult to GDPR Consultants who can guide you through the process.