The 6 myths that may be stopping you getting your SME GDPR ready
The biggest change in data protection legislation for 20 years will take effect on 25th May 2018 as the General Data Protection Regulations (GDPR) are universally adopted across all European Member states (including the UK).
GDPR is not the same as the current UK Data Protection Act 1998 and introduces a much higher level of accountability for organisations who process personal data and is firmly designed to give individuals more control over what and how their data is used. And yet there’s still a lot of confusion over GDPR with many organisations wrongly assuming it won’t apply to them or is just business as usual in terms of data processing. This is a mistake that could end up costing some organisations dearly.
In a previous blog, I've talked about the key areas of GDPR that every SME needs to be aware of and gave 10 practical steps everyone can take to get GDPR ready. Click here to access that now if you’re not yet clear what GDPR is all about.
Today I want to bust 6 big myths that may be stopping your SME from getting GDPR ready.
1. GDPR doesn't apply to small businesses
This is one I hear regularly, reinforced by the fact that most of the GDPR content and commentary online focuses on bigger businesses getting ready. The application of GDPR is not based on size, rather the level of personal data processing that is done. So if you’re a small business (including a sole trader), charity or community group that collects and processes personal data (names, addresses, email etc) you will not be excused or exempt from GDPR just because of your size. If you only process personal data “occasionally” i.e. not on a regular basis, then you do not have to keep a record of this processing activity, but I don’t know many/any SMEs that won’t have some categories of personal data processing that they do on a regular basis e.g. payroll, attendance records, customer invoicing etc.
If you’re an SME, it’s best to bite the bullet and accept that even though you may be small, you still have a responsibility in law to properly manage and look after individuals’ personal data and need to take the necessary steps to ensure you can meet GDPR requirements as quickly as possible.
2. Brexit means GDPR won’t apply to the UK
For all those hoping that Brexit means no GDPR, I’m sorry to disappoint you. There’s a few good reasons why Brexit won't derail the application of GDPR within the UK. Firstly, GDPR is part of a worldwide trend for countries to impose stricter data protection laws so even if the UK Government didn’t want to apply GDPR, it would most likely develop its own data protection legislation along similar lines.
As it is GDPR comes into effect May 2018 and the UK doesn’t leave the EU before March 2019 so whatever happens, GDPR will become legally binding in the UK before Brexit is concluded. This means organisations processing the personal data of individuals who reside in the UK (as well as the rest of EU) will have to show they are working to the new Regulations. Once that happens, there seems little incentive to dismantle everything once Brexit has happened, particularly as many organisations will still have customers and suppliers based in the EU and therefore be subject to GDPR in the handling of their personal data.
It is more than likely in the longer term, that the UK will mirror GDPR in its own Data Protection Act and ensure this doesn’t create an unnecessary barrier to trade with others in the EU.
3. GDPR is just about getting consent for direct marketing
I’m a marketer and although I’ve been aware of GDPR for some time, because all the talk in marketing articles and journals seemed to be around getting consent, I was guilty of thinking this was the basis of GDPR. I realised my mistake about nine months ago when I started to look into it in much more detail and it dawned on me that it affected every aspect of an organisation that processes personal data - HR, Finance, Sales, Marketing, Procurement etc.
Consent is one of six legal bases that can be relied on to lawfully process personal data and is only appropriate if individuals can genuinely be given a choice. So it works for direct marketing when individuals can decide if they want to sign up to a mailing list, but it doesn’t, if for example, regardless of an individual, you have a legal duty to process their data.
GDPR is also not just about you establishing a lawful basis for processing personal data, as there are other key requirements like recording data breaches, keeping up to date records of data processing and ensuring Individuals understand the rights they have over their data. So don’t make the mistake of thinking you just need to update the consent statements you use to collect contact details for marketing purposes. You are going to need to be a lot more organised and pro-active than that.
4. It will spell the end of many small businesses
Inevitably, there is a lot of fear over change, particularly one as large and significant as GDPR. There’s been a lot of scaremongering on line about the size of fines the Supervisory Authorities can impose and the amount of work that’s required to get GDPR ready. Larger organisations can afford to employ full time resources or engage consultants to help them get ready. SMEs don’t have those sort of resources at their disposal and some believe it will all be too much for their business and they will be forced to shut down.
There is no getting away from the fact that GDPR does bring extra data protection hoops to jump through, but it need not spell the end of your business. At over 80 pages long, one of the challenges of GDPR is having the time and understanding to know what it all means in the first place and then what you practically need to do. It took me weeks of research and lots of reading to get to the nub of it all and work out an approach I could adopt in my own small business and use to help others get GDPR ready. You can access my FREE webinar “Getting GDPR ready as an SME” and get a shortcut to understanding GDPR and what it means practically.
To help you further, and stay focused on the success of your SME, I’ve developed the GDPR Preparation kit, designed to show you exactly what you need to know and do in each key area of GDPR. It’s full of useful guides, processes and templates to help you implement what you need to as quickly and painlessly as possible. Click here to find out more.
If you don't want to risk the future of your small business, the best thing you can do is embrace GDPR and take the necessary actions to get GDPR ready. See it as an opportunity, a way of building trust with customers. If you give individuals control over their data and properly respect their rights under the GDPR, you will ultimately find yourself in a much stronger position to win new business.
5. It’s only relevant for businesses in Europe
Whilst it’s fairly clear that GDPR is a piece of EU legislation, what isn’t always so clear is that its geographic coverage relates to where citizens rather than the organisation is based. This means that even if as an organisation you’re based somewhere like Canada, USA or Australia, if you process personal data for individuals who live in the EU, you will need to do so within the scope of GDPR.
If you’re an SME based in Europe you also need to consider data processors you’re working with who may be based outside the EU. A lot of SMEs will be sharing personal data with service providers who offer automated mailing packages, landing pages and webinars and as part of this collect personal data on their behalf. Many of these providers will not be located in Europe but again they will need to work within GDPR and the individual SME will need to ensure they get the guarantees from each of them that they can do so.
6. It’s just a paper/box ticking exercise
It’s tempting to think that data protection is only about compliance to the legal requirements and GDPR is just another box ticking exercise. But it requires a much more proactive approach than previous data protection legislation and all organisations need to actively demonstrate in all they do, that they take personal data protection seriously. Individuals have lost faith in organisations to look after their personal data responsibly and GDPR is an opportunity to prove otherwise. You need to think of it in the same light as Health and Safety- a licence to operate that shouldn’t be compromised and for which the consequences of not doing anything can prove fatal.
Whilst you’re unlikely to be penalised straight away if you don’t have everything in place for GDPR, you can bet your suppliers, customers and even employees will start to ask questions about what you’re doing and how you’re complying. And there only need to be one or two high profile data protection cases reported in the media to get everyone frantically trying to get their house in order before anyone asks them what they’re doing to comply with GDPR.
So don’t leave it, however unreal it all feels currently. Your size won’t make you invisible to the individuals whose data you process, and regardless of whether you’re on the Supervisory Authority’s radar, your future success may well be linked to your ability to sho you’re meeting GDPR.
What to do next?
Take steps quickly to understand more about GDPR, what it means for your SME and the key actions you need to take to get GDPR ready. You can register for my FREE webinar “Getting GDPR ready as an SME”here. This will give you a simple introduction to GDPR and the 6 key areas you need to consider and take action on.
When you attend the webinar you will also get access to my detailed GDPR Preparation questionnaire. This valuable download will help you identify the gaps in what you currently have in place and help focus in on the specifics of what you need to do to get GDPR ready.
You can also purchase the GDPR Preparation kit for £399 and get instant access to videos, presentations, templates, processes and checklists to support you in getting GDPR ready quickly and effectively. Click here for more information.
Ceri George has over 15 years marketing experience and is the owner of By George Marketing and creator of the GDPR Preparation kit for SMEs. She helps businesses make the most of their marketing and make it an investment for growth. For more information about working with her and details of the GDPR Preparation kit please visit www.bygeorgemarketing.co.uk