What GDPR means for SMEs
All UK businesses, large or small, need to ensure they are GDPR-compliant by the looming deadline of 25 May 2018. Some businesses have been quick off the mark in meeting the new data privacy regulations but others are far from ready.
Almost half (46%) of all SMEs have not heard of the GDPR while less than 1 in 10 (9%) of UK SME bosses fully understand what the forthcoming new legislation means for their business (Future Attitudes survey, 2017). However, it’s important to get your house in order if you want to avoid the severe penalties.
What is GDPR?
At its basic, it’s all about how firms use, process and keep personal data.
The General Data Protection Regulation (or GDPR) is an EU regulation with the aim of strengthening and unifying data protection for all individuals within the European Union. It also covers the export of personal data outside the EU. The primary aim of GDPR is to give control back to citizens and residents over their personal data and also to simplify the regulatory environment for international business by unifying the regulation within the EU.
The new GDPR regulation was formally adopted in April 2016 giving businesses a two-year preparation period – the new data privacy rules become enforceable from 25 May 2018.
SMEs must adopt GDPR
While the adoption of new legal rules can be an inconvenient diversion for any business, it can be a particular challenge for small-to medium enterprises (SMEs). Already stretched with the everyday running of their business and seeking new customers, SMEs can find it especially onerous to have to understand new legislation, potentially change its systems and staff training in order to comply.
However, the GDPR is not optional. GDPR applies to all sectors and businesses that hold and use personal data – for example, on customers, prospects, staff, suppliers etc. Breaches of the new rules attract severe penalties of up to 4% of turnover, damage to reputation and the risk of lawsuits. The UK intends to take the EU GDPR into its own legislation so it will still apply after Brexit.
First of all, don’t panic. While the GDPR represents a big overhaul, in reality many organisations already comply with the Data Protection Act 1998 which the new GDPR updates. In makes good business sense in any case to get your information in order – ensure that personal information is accurate, relevant and safe; in the long run you’ll save time, money and reputation.
Some tips to help SMEs meet the requirements of GDPR:
- Assess your firm’s compliance and seek external help if necessary – your trade organisation or local Council may offer help, as will the Information Commissioner’s Office (ICO) which regulates data protection in the UK – a dedicated advice service for small organisations is available.
- Ensure you include costs in your budget for implementation of GDPR – this biggest cost is likely to be time in understanding what is required and then checking your processes.
- You can still send direct marketing to individuals but ensure you have their ‘consent’ or that there is ‘legitimate interest’ (for non-electronic communications)
- Use GDPR to reassure customers and staff about the privacy of their data – you’ll increase their confidence in your business.
The GDPR aims to enhance the position of European countries in the digital economy. It’s a good time therefore for SMEs to review their digital strategies and take the opportunity to update their systems – for example replacing fiddly paper systems with automated processes.