Podcast: UK SME planning and compliance for ‘the new normal’

In this podcast, we look at planning for compliance under “the new normal” for UK small and medium-sized enterprises (SMEs) with Mathieu Gorge, CEO of Vigitrust.

We talk with Gorge about how an increase in remote working will have meant a big change in the data ecosystem of many SMEs and how they can re-map their systems to ensure compliance going forward.

Antony Adshead: What compliance issues should UK SMEs be thinking about right now?

Mathieu Gorge: Well, right now data protection is key on the agenda. UK SMEs, as they are starting to reopen and everybody is going back to work, have to adapt to what people call “the new normal” and that businesses have changed. A lot of businesses are now more distributed than they were and that is also the case for SMEs.

What that means in practice is that the ecosystem within which most UK SMEs operate has changed. A lot of people are going to want to continue working from home. A lot of people are going to want to access data from home as well, and those that are actually returning to work are going to need to adapt to new ways of working within the office.

That has an impact on data storage and compliance, not just from the technical perspective, but also from the point of view of physical data storage.

So, I think that the re-mapping of the ecosystem for UK SMEs is important.

Adshead: How should UK SMEs prepare and plan for compliance in “the new normal”?

Gorge: So, one of the things that I think you need to do, that I always say, is that people need to map their ecosystem – what they store in the cloud, what they store on-premise, how they acquire data, whether it is structured data or unstructured data, employee data, client data. And what they do with that data, not just from a storage perspective, but also how they transmit the data and process the data.

Right now, there are concerns from end-users and from clients who worry that their data is being used, and others have concerns about how they use other people’s data.

In the UK, the Information Commissioner’s Office – the ICO – has published some very good guidance on how to deal with data protection and coronavirus, and that actually covers acquiring data and storing data, and the topic of data subject requests.

At a normal level, on an ongoing, day-to-day basis, I think UK SMEs need to re-examine how they assign roles with regard to data.

For example, they may need to re-look at the data classification that they have and who can access what data and under what conditions. So, for instance, some of the privileges on systems will need to be looked at, especially with regard to an extended ecosystem where people work from home.

And then, as I said earlier, I think that physical data is something that is often forgotten. A lot of organisations will find they don’t necessarily pay enough attention to physical data, data that is being printed – what you do with that data once you have it, how do you store it and how do you dispose of it.

So, the advice would be to re-map your ecosystem, re-examine your data classification and the roles that are linked to that. So that you can ensure you store the data in accordance with the Data Protection Act and GDPR (General Data Protection Regulation), for example.