The GDPR Clock is Ticking: What SME's Need to Know
With just twenty-four days to go until GDPR is enforced in the UK, now is the time to review your compliance and ensure any last-minute amendments. It is never too late to make adjustments and modifications to process, policy and cybersecurity to ensure compliance with the new regulation.
A variety of recent news reports have highlighted how firms such as Apple, Facebook and Whatsapp are dealing with the new requirements, with many subscribers receiving a number of emails updating privacy notices and terms and conditions in readiness for the implementation of the new regulation on 25th May. Recently, however, a number of reports focusing on SMEs suggest that many remain unprepared.
The Federation of Small Businesses found in February that over a third of small businesses had not started preparing for GDPR, with only 8% of small businesses having completed their preparations by that point. The FSB highlighted that many firms were simply unaware of the changes that would need to be made. Whilst the GDPR represents the biggest change to Data Protection law in the UK, small and medium sized businesses can take small and effective steps towards compliance that can ensure that they both stay on the right side of the new laws, and that they maintain and build on their current business.
The impact of the changes is hinted at in the interest it is garnering in international media as well – particularly in light of the recent allegation that a data mining firm misused the data of tens of millions of Facebook users – with stories from the U.S. highlighting that American-based companies dealing with users in the E.U. and UK will have to comply. As well as the continuing conversation around the differences in expectation of privacy between the U.S. and E.U and whether public perception of the likelihood of privacy will change in light of the GDPR.
Much has been made of the range of stories and news items in the media that focus on the financial and reputational impacts on firms that do not comply. Whilst many SMEs might benefit from appropriate advice and consultancy on approaches to GDPR, most will be aware of the consequences of a breach; regulators will be able to issue penalties of €20m, or 4% of annual global turnover, whichever is greater, for the most serious breaches. Less serious breaches will be subject to a lesser maximum penalty of €10m, or 2% of annual global turnover. Non-compliance certainly carries heavy penalties.
The Regulation is likely to have a further-reaching impact on the perception of privacy that will likely change customer expectations. Once consumers become more aware of their rights – including the right to request copies of their data free of charge, and the right to request erasure of data under certain circumstances – it’s possible that firms will need to spend more time ensuring compliance with increasing requests.
The inundation of news reports and information can seem confusing and overwhelming. However, GDPR offers all businesses the opportunity to consider current practices, and to build their current customer base. Most businesses will need, in any case, to take an inventory of current data collection practices and marketing strategies, and consider what data is held, why, and for what purpose. Whilst it does need to be thorough, the process does not need to be overly complex, and can benefit from a straightforward and manageable approach. The task has the added benefit of offering the opportunity to win trust from customers. In ensuring that privacy policies are revised, how data will be used is explained clearly, and setting out the rights to customers’ proactively, especially in advance of competitors, can help to win trust.
Smaller firms may find budgeting and resources don’t leave much room for the required changes to ensure GDPR compliance. Most companies will need to modify or develop new processes and procedures to ensure that data collection is compliant, train current and new staff members, and ensure that their cyber security provisions are sufficient.
Our GDPR Preparation Pack and last-minute policy check can help you understand the changes you need to make before the Regulation comes into force. Contact us for more information on how we can support SMEs in the lead-up to GDPR.