Why no SME can afford to ignore the General Data Protection Regulations (GDPR)
Register here for my FREE webinar “Getting GDPR ready as an SME”
The clock is ticking on the biggest shake-up of data protection legislation for over 20 years and it arrives on 25th May 2018.
Most big businesses have been working towards GDPR for a while-recognising that the stakes are high and there is a lot to do to get ready in time. GDPR’s just as relevant to smaller businesses and enterprises (SMEs) and yet many haven’t got off the starting blocks or don’t actually realise that it applies to them too.
If that sounds like you, then this article will help, by explaining simply and clearly what GDPR is all about and why as an SME you can’t afford to ignore it.
So what’s GDPR all about?
GDPR introduces a single set of rules for how organisations handle the personal data of all citizens within European Union Member states (including the UK). It extends the scope of Data Protection legislation to include both organisations who decide what data to collect (data controllers) and use, and those that process it on their behalf (data processors). GDPR hands back control to the individual and demands a much higher level of transparency and accountability from organisations for how personal data is collected and used. Although it’s not yet clear how the Supervisory Authorities charged with monitoring data protection compliance will exercise their powers, they can levy significant fines- up to 4% of global turnover or €20million on organisations who do not comply with GDPR.
Does it apply to you?
If you process the personal data of individuals based in the European Union, (including the UK), regardless of where in the world you’re based or the size or type of your enterprise, then GDPR will apply to you. Personal data is anything that can identify an individual directly or indirectly and includes things like name, email address, contact details, image, voice recording, IP address, finger prints, registration number, bank details etc. It follows then that if you have information about employees, customers, donors, sales leads, patients, pupils, suppliers, supporters, volunteers etc, and I don’t know of a business or enterprise that doesn’t have one or more of these, then you are processing personal data and will be subject to GDPR.
Why no SME can afford to ignore GDPR
GDPR is like your licence to operate for personal data protection in the European Union and if you do not process personal data under the terms of GDPR, then you will quite simply be acting illegally and can be held to account for this. At its worst, this may result in a hefty fine or you not being allowed to process personal data anymore, negatively affecting your ability to operate at all.
Aside from the legal ramifications of ignoring GDPR, there’s also the matter of trust. Whoever’s personal data you are processing, from employees to donors to customers, they need to feel they can trust you with their data. You must give them confidence that their data will be looked after and protected properly and that it will not be misused in any way. The recent Facebook/Cambridge Analytica situation where it is claimed millions of individuals’ personal data may have been shared with third parties without their knowledge, shows how easy it is to lose the trust of individuals and damage your reputation. Long-term relationships with individuals come from a place of trust and showing you are proactively meeting the requirements of GDPR can help demonstrate this.
Whether you are a data controller or a data processor, GDPR demands a much higher level of accountability from you. You must keep detailed records of the personal data processing that you do and if you are the data controller, clearly state your lawful basis for doing so. You’re accountable to the individuals whose data you process, and you must be able to address their Individual Rights quickly and effectively. In the event of a data breach, you must record it and take all the necessary steps to contain it and mitigate any risks to Individuals rights and freedoms that result. All this requires a structured and systematic approach and won’t just happen so you need a plan for getting GDPR ready.
If you do nothing about GDPR, then it’s unlikely you’ll feel the effects straight away i.e. on the 26th May 2018. But customers, employees, suppliers, donors etc may start asking questions about how you’re meeting GDPR and ask you to confirm this in writing with evidence. If you’re not able to do this then you may find they start to look elsewhere. Furthermore, in the event of you suffering a data breach or not adequately meeting an Individual’s Right request, you may find yourself referred to the Supervisory Authority. They'll immediately ask to see evidence that you're complying with GDPR and your detailed audit trail. So, in the end, the risks of doing nothing may be significant and ultimately cost you your enterprise.
What should you do next?
Take steps quickly to understand more about GDPR, what it means for your SME and the key actions you need to take to get GDPR ready. You can register for my FREE webinar “Getting GDPR ready as an SME” here. This will give you a simple introduction to GDPR and the 6 key areas you need to consider and take action on. When you attend the webinar you will also get access to my detailed GDPR Preparation questionnaire. This valuable download will help you identify gaps in what you currently have in place and help focus in on the specifics of what you need to do to get GDPR ready.
Ceri George has over 15 years marketing experience and is the owner of By George Marketing and creator of the GDPR Preparation kit for SMEs. She helps businesses make the most of their marketing and make it an investment for growth. For more information about working with her and details of the GDPR Preparation kit please visit www.bygeorgemarketing.co.uk