intelligent

SMEs also need to consider how their wider supply chain might be involved in personal data processing ; if so , they ’ d benefit from ensuring security requirements are embedded in contractual arrangements with their suppliers and by ensuring any thirdparty data processors are only chosen if they can provide sufficient guarantees about their own security measures .

The NCSC also advises that risk management should include plans to respond to and recover from data breaches . Considering this , it is of vital importance that SMEs ensure that they have suitable incident response plans . GDPR requires regular testing to evaluate the effectiveness of the security measures . In other words , not only is a plan important in and of itself , but it should be rigorously assessed too .

Finally , it ’ s worth noting that the UK government is consulting on how to reform data protection regulation in the light of Brexit . GDPR is criticised to be too prescriptive about the means ( tools , controls and practices , etc ) that organisations should implement to comply with data protection regulation , leading to inflexible , one size fits all approaches that fosters tick-boxing cultures .

The government asserts that GDPR places ‘ particularly disproportionate burdens on SMEs and organisations that undertake low risk processing ’.

Instead , the government wants data protection to be less prescriptive and focus more on goals and outcomes so that organisations have the flexibility to choose the best means to comply in the light of their specific circumstances . �

SMES ALSO NEED TO CONSIDER HOW THEIR WIDER SUPPLY CHAIN MIGHT BE INVOLVED IN PERSONAL DATA PROCESSING .