Dr Gavin Scruby, CIO, SmartDebit
Implementing GDPR for many organisations was probably a dreaded and painful process. Getting advice from lawyers or, worse, self-proclaimed “GDPR experts”, may also have had high costs.
It made me think, what can you do on your own with the right approach and preparation when you can’t afford compliance staff? When should you have to ask for actual legal assistance? This train of thought led to the realisation that the road to GDPR compliance had parallels with how a small or medium business has to operate in order to meet the compliance demanded of large enterprises, but while also still retaining the agility of an SME.
Like many things, it is simple but not easy. It mostly comes down to doing the right research and implementing a strategy with realistic targets. The key to this is that you also have to ask the right questions. What is the current positon of my business? Is it heading in the right direction? Will hiring in-house be more cost-effective than outsourcing or vice versa? Is my business building relationships with the right third parties?
There is not one ideal method – it all depends on what kind of business you are operating, what market you are in, which sector you are aiming to win, and the strategy you implement.
Evaluate the company’s position
The first task might be the most tedious for some, but understanding your company’s position is vital. No assumptions can be made here – it has to be factual, analytical and well-researched. An honest (and potentially painful) SWOT analysis can be helpful to understand the company’s weaknesses and strengths. You can’t be lenient on yourself. Some truths may not be desirable, but identifying and understanding where you’re weak will enable you to evaluate what actions to take to improve. You should match these weaknesses and strengths with the company’s aims. Are these aims realistically reachable in your chosen timeframe based on the company’s current situation? Investigate what needs to be improved and how much it would cost. Do your aims need to be adjusted?
What about your chosen market area? Do your research – what does the market need and what are the current trends? What is working and what isn’t? Are you even targetting the right market? Align your company goals with your chosen market.
Implementing strategy within the company
In order for any business strategy to be successful, the company goals have to be believed and lived at Board level. Only then will you be able to implement the strategy throughout the wider business. This is important because a strategy will be far stronger when all departments are coordinated and synchronised to work towards goals. If they are not aligned, it may lead to issues and fragmentation of vision. For instance, if with a new strategy you experience a substantial increase in sales growth, you do not want this to impact negatively ondata security and compliance. This especially applies to technology companies. Similarly, when your sales grow, you have to ensure that you have sufficient security and compliance staff to operate effectively, and to avoid employee burnout.
Should you hire in-house or outsource?
You may find that hiring in-house may become more affordable over the long run, though this is a fashion that is cyclic and based to a large part on the outsourced BPR (business process re-engineering) models available. Hiring directly also allows you to have more control and better management and flexibility when your operations are kept inside your company. Again, this applies for technology companies, and it worked for us atSmartDebitwhen we doubled our staff numbers in order to be more effective and innovative with our service. Specifically, we took the decision to cut outsourced support contracts to reduce security risk, streamline controls and reduce the number of links in our compliance chain.
When hiring, it is, of course, paramount to hire the people with the right skills. However, in a small company, employees are expected to juggle various responsibilities at the same time. It is therefore worth considering the range of a prospective employee’s skillset and experience.
Hiring in-house may not always be possible. For certain projects, you may find that hiring a third party might be more effective. In this case, it is necessary to identify third parties that can be your partners. Are they innovative? Do they align with your company’s ethos and way of working? Do they have the right compliance and data security controls in place?
A good example could be automating the complex and tiresome process of Direct Debit. It shouldn’t come at the cost of reduced compliance and data security. Invest time to research your choice of a third party and their accreditations. In addition to strong data security, businesses should make sure the service and software they are purchasing is aligned with their needs. Does it offer additional functions that will benefit your operations and save time and costs? Another overlooked part is customer service. What are their most recent turnaround times? You don’t want to wait days to fix an issue with payments as it may impact your reputation among your customers. All these questions are imperative. Careful consideration when outsourcing a huge process like this can be not only beneficial for the business’ cash flow, but also your customers’ data security.
Depending on the industry you are in, there are different compliancy and security standards. For financial and technology companies, which are highly regulated, it is worth embracing and implementing into the company’s ethos as one of your most important values. Your staff should be adequately trained on a regular basis with both compulsory and voluntary courses. Go too hard, however, and you may scare – or bore – your employees. Make security and compliancy interesting rather than frightening. It is possible, especially when people take pride in their level of quality above the competition. Again, this is top down, so the Board must speak with one voice. Taking the education route, rather than the “we are doing this because our regulators tell us to”, will motivate and inspire your staff to fully understand and embrace its importance.
There is no shortcut to being a successful business, no matter what size you are. These processes take time, effort and money to get right. It won’t happen overnight. When done right, SMEs have the advantage of being able to be flexible in their operations, far more so than a larger company. You really can decide on a change, a vision, and realistically get it spread across the organisation. No matter what other values you have, it does not mean that security and compliance has to suffer. In fact it mustn’t, or you won’t be able to trade with large companies. SMEs can benefit from both agility and enterprise compliance together.
As with everything in life it is easier said than done. However, gradually this can be achieved by:
- Researching and analysing
- Being honest about weaknesses
- Believing company aims at Board level
- Coordinating all departments to work towards these aims
- Linking sales growth with the growth of good compliance and data security
- Willingly and voluntarily educating your team about compliance and security
- Collaborating with matching third parties.