After attending the BCS IS Security Group meeting yesterday, I began to think about how small (or more accurately, medium) companies might deal with the additional compliance actions required of the GDPR. There would seem to be two design patterns, a golden source, or an all knowing switch. The first pattern led me to consider the SaaS solutions, which should be used to dealing with suspects, prospects and customers (CRM), also any employees that might be employed, with the ERP solution catering for personal data located in the supply chain. Over the years I have been made aware of Sugar CRM & OpenBravo (ERP), more recently I have looked at Financial Services KYC problem, and been pointed at kyc.com, an enhanced CRM system designed for the financial services industry. The gap is an industry leading HR system, and it will surprise none of my long term friends and colleagues, that I think we can assume that fault is in the buying community where the priority would seem to be recruitment and applicant tracking although, of course, payroll was the first SaaS offering by an order of decades.