Illustration of a magnifying glass

25 May 2018

Tackling GDPR as a small company

Making sure everything is done right, can be a challenge and a blessing in disguise.

The General Data Protection Policy (GDPR) is here, replacing the more lenient Data Protection Act from the late 1990s. We 100% support the mission of giving people more privacy and stronger rights over their personal information. We’ve always considered the privacy and data protection of our clients and citizens we research with, and GDPR has given us a great opportunity to run an even tighter ship. Making sure we meet every element of the improved regulations, especially as a small company, has been a challenge. We’re at the start of a renewed journey and we are striving to do our best when it comes to handling sensitive information. Here’s some of the challenges we’ve faced and steps we’ve taken along the way.


Understanding lawyer speak

The GDPR is a lo(ooo)ng document that isn’t easy on the eyes. Luckily, a lot of wonderful people and organisations have taken it upon themselves to translate it into layman’s terms for the rest of us. Some of our favourites are these posts by IT Governance, IT Pro, White & Case, and the Information Commissioner’s Office’s handy GDPR checklists.

Understanding exactly what is required from our  design team still has not been easy, but we take comfort in the Information Commissioner’s following statement:

“To small and micro businesses, clubs and associations who are not quite there, I say … don’t panic! As the new ICO Regulatory Action Policy, out for consultation very shortly, sets out, we pride ourselves on being a fair and proportionate regulator. That will continue under the GDPR. 25 May is not the end of anything, it is the beginning, and the important thing is to take concrete steps to implement your new responsibilities — to better protect customer data.”

A blessing in disguise

We picked our team members’ brains on what needed to be done by May 25th and ended up with a to do-list almost as long as the GDPR law (this may be a slight exaggeration); from getting consent again for our newsletter mailing list to changing the way we do research.

A range of our processes did not need to be changed because we do them ‘wrong’ now, in fact we’re incredibly thorough on how we work with our research participants, but, on some occasions our team members might undertake work slightly differently from one another. For instance, how do you close down a project when it’s finished and exactly how long should we store data for? How do you gain consent from interview participants to ensure we meet GDPR regulations? The policy has spurred us on to make us even better at clarifying and streamlining internal processes. Arguably, it’s a blessing in disguise, forcing us to take the time to service design ourselves again.

From 3000 to 200 followers

How many re-sign up emails have you received over the past couple of weeks? Ours included, we’re sure it’s quite a few, and it seems like most of us are not so keen to sign up again. We’ve gone from a mailing list of nearly 3000 to having 200 people (so far) signing back up, and we’ll be honest, that makes us a bit sad.

Working hard over the years to build our audience, we now start again from scratch. The silver lining is that our new mailing list consists of people who are truly interested in what we do – and hopefully, they will be a more engaged audience with which to share our progress, thoughts, and events. You can sign up to our newsletter here, if you have not done so already (just saying).

To delete, or not to delete: that is the question

What to delete has been one of our biggest worries. We have project files going back to when we first started the company, and we’re too small a team to go over all those files to check if we accidentally have something that we shouldn’t have.

Our solution is to archive everything older than one year, with access only for our dedicated data protection officers (DOPs). It’s not ideal seeing as that means our team lose access to insights and tools, however, we hope our DOPs will be able to go over these files one by one and make them available to the team again when we’re sure they’re safe to share. That will definitely take a while so if you have a better solution, please share it with us!

Do you have any GDPR tips?

Let us know