What impact will GDPR have on SMEs?
General Data Protection Regulation (GDPR) is nearly upon us, and SMEs need to be prepared. So let’s take a look at what it is, the way it’ll affect businesses and what you can do to mitigate the risks.
What is GDPR?
Essentially it is a complete update of existing EU data protection laws. The updates are needed because the way data is gathered, stored and used has changed dramatically since the 1995 EU Data Protection Directive. The new legislation aims to make personal data more secure in the face of rising cyber-crime. It also gives people more power to control their own data.
What impact will it have on SMEs?
Small businesses that gather, process and store personal data will need to audit their existing framework and make changes where necessary. For instance if a business relies on computer networks and digital storage, it will need to make sure it has taken strong measures to prevent data breaches; this could mean investing in better cyber-security solutions, training staff to be more web-savvy, and implementing policies that aim to stop leaks from within the organisation. Because of the right to access subject - which gives consumers greater power to access their stored data - SMEs may face additional costs.
What are the consequences for not adhering to GDPR?
Businesses, regardless of their size, face fines of 2-4% of their annual turnover or €10-20 million (whichever is greater). It’s been reported, however, that regulators have more discretion when punishing SMEs. So depending on the severity of the situation, SMEs may be treated more leniently. However, it’s not yet clear how much discretion they really have. Besides monetary penalisation, businesses face huge reputational damage for falling foul of GDPR.
What can SMEs do in preparation for GDPR?
The most important thing is to read through all DPR chapters, articles and recital and familiarise yourself with the law. Once you have a clear idea of GDPR requirements, you can then audit your business and make changes as per the directives. Document each and every step you take - so if a breach does happen, you’ll have evidence that demonstrates your compliance. To help you get started, the Information Commissioner's Office (ICO) has put together a useful 2 Step Fact Shee. If there’s anything you’re unsure about, always seek professional advice.
How will it affect consumers?
Because of active consent, consumers won’t be tricked into giving permission to share personal data. The right to access subject gives consumers more power to request their data without incurring costs. Similarly, GDPR means that businesses will have to clearly inform consumers about thei right to object, which is the right to prevent organisations collecting a consumer’s personal data. Overall, it gives consumers a clearer picture of where they stand and gives them more control over their personal data.
What impact will it have on SME marketing?
Small businesses will need to make sure they collect and process data in the right way. This means being clear about consent and the consumer’s rights. Robin Sumner, MD at Romax - a leading-edge marketing communication service based in London - has this word of advice: ‘From the beginning you need to get it spot on - so the first step is to audit your data processing policy and get it in line. You need to create a process that factors in the new requirements so that it flows out from the strategic level into every aspect of your marketing communication. In other words, it needs to be baked into your organisation so that it becomes integral to operations.’