The General Data Protection Regulation (GDPR) grabbed headlines earlier this year for many reasons. One being the eye-watering fines for those who fail to comply. For instance, businesses that fall foul of the regulation could be fined up to 4 per cent of their global turnover or 20 million euros, whichever is higher. Only 28 per cent of SME owners guarantee that they could continue operating following the fine, which means GDPR compliance could be ‘make-or-break’ for a small business.
There is still a lot of confusion around the risks they face now the deadline has passed. Small businesses can often feel detached from the risks of the GDPR as it is usually associated with high-profile data breaches made by large companies, but they need to realize that it can affect them just as much.
Since the GDPR came into force, we have been speaking to a wide range of SMEs to understand their experiences, including the challenges they have faced. We found that some SMEs are fully compliant while others have stalled due to a lack of knowledge, time or resources. If you’re part of the latter group, or you fear your SME may be breaching the regulations, here are some action points given by those who have already achieved compliance.
1. Seek permission now
While consent is only one of six lawful bases for processing personal data, where it is relied upon, SMEs need to review consents that were originally provided by customers to see if they are compatible with the GDPR’s requirements.
Under the GDPR, consent is only valid if it is a freely given, specific, informed and unambiguous indication of an individual’s wishes indicated by a statement or by a clear affirmative action. So it’s possible that existing consents aren’t sufficient, especially if they were based on silence, pre-ticked boxes or simply implied, meaning you may have to contact every individual in the database to seek fresh consent. If you don’t have valid consent for the ways in which you’d like to process the data, then that individual’s information may need to be deleted.
After taking these steps, it’s likely that your database will shrink. This may ring alarm bells to most, but cleansing your business’s database removes stagnant contacts, that had little or no impact on the business before the GDPR. Moving forward, this ensures that you are reaching out to people who want to be engaged with, creating a database of realistic prospects.
2. Find and organize all personal data
The GDPR has changed how organisations store and process data. As data comes in a variety of forms, it’s important that an audit is undertaken sooner rather than later, to help identify where and in what form that data is being held.
And it’s not just customer data that should be looked at, employee data is just as vital. For example, how will you securely store sick notes or text messages requesting time off? How do you restrict access to personal data to ensure only those who have a ‘need to know’ can access it? This must also be reflected with candidates. From the moment a potential employee submits their CV or application form, you’ll have to record when and how you obtained this data.
The huge benefit of this is that when you begin to question every element of how and where you keep data, you can begin to identify areas of improvement and create clear guidelines everyone must follow. This can sound overwhelming for small businesses with limited resources, but breaking tasks down into bite-size chunks, starting with smaller or more familiar databases, will make GDPR implementation smoother. Unlike, large corporate businesses, SMEs have an advantage here, as it’s more likely that data is easily located.
3. Make the most of your IT
The conversation that you will have with the IT team is not necessarily about providing software or hardware for GDPR readiness. It is more about how they can securely dispose of existing data, put processes in place for ongoing data retention, as well as reporting data breaches.
Enlist your IT manager to reach out to all business functions to ensure that they all understand the GDPR’s reporting requirements. Also, if there isn’t a requirement for a designated Data Protection Officer, then appoint a business leader within the team who can be responsible for answering questions on data protection matters and being an example for others in the business to follow.
Ultimately, it’s important to view the GDPR as an investment rather than a threat. It protects your business, but most importantly it educates and secures your own employees when handling data. Although there is some work involved in ensuring compliance, the ongoing opportunity to review and fine-tune your processes presents valuable opportunities. It can be the competitive differentiator you need in an age where customers pay more attention to how businesses manage and protect their personal information.
About the Author
Adam Prince is the VP of Compliance and Product Management at Sage. He is a globally experienced product leader with an extensive history of supporting enterprise level global development, sales and marketing teams. Adam has managed Product Management, Product Marketing and Field Marketing teams producing solutions focused on finance, manufacturing, and the supply chain.