Recent research suggests that three out of four companies are unprepared for the GDPR, with Gartner predicting that by the end of 2018, an astonishing 50% of businesses will not be fully compliant.
So should SMEs be worried about ‘G-day’ – May 18 – and has Westminster adequately prepared us for it?
At heart, the GDPR is a piece of legislation that will protect all of us as individuals. “It was drawn up to give citizens back control of their personal data – extending the scope of the EU’s data protection law to all foreign companies processing the data of EU residents,” says Kerry Beynon, Partner and expert in data security at Acuity Legal. “It also addresses the export of personal data outside the EU.” And for Beynon, whilst GDPR compliance may sound like an onerous task – “and for some organisations it will be” – it should be seen as “an opportunity to review current data collection and storage systems and processes and make them as safe and secure as possible.”
Needs and musts
Does Beynon think the GDPR is potentially disastrous for SMEs? The broad answer is – yes and no. “You might think that your current data protection procedures are good enough, but the GDPR has severe fines for non-compliance – up to €20 million, or 4 per cent of global turnover, whichever is the greater.” By way of comparison, the current maximum fine in the UK is £500,000. And as Beynon points out, the monetary fine is only part of the damage companies will suffer. The risk to your reputation and brand is potentially huge.
On the other hand, Beynon says, “essentially, the GDPR is really just what was seen as good practice under the current regime, being given statutory recognition in legislation.” If you are doing things well now, she says, it will only be “a small step up” to comply with the GDPR. “But if you don’t, then you’re going to have a lot of work playing catch-up.” Our previous article on the GDPR gives SMEs some practical tips about what they need to do.
What particularly needs paying attention to that the small professional services company might miss? “Organisations will have to be much more specific about why they want the data and how they intend to use it,” Beynon believes. “This will have to be carefully documented and communicated to data subjects. Even then, individuals will have a host of new rights allowing them to object to certain data processing, to restrict how their data is used and even to have their data erased on a number of different grounds. There will also be responsibilities on organisations to check and correct data that is alleged to be incorrect.”
Ways of seeing
From a small business point of view, the important thing in the event of a breach “is to have a narrative that you can put to the regulator and can explain the steps you’ve taken,” says Ardi Kolah LL.M, Director, GDPR Transition Programme, Henley Business School. “You need to be able to explain the appropriateness of those steps based on your own risk attitude, show that you have acted in accordance with your codes of conduct, and demonstrate you’re thoughtful about individuals’ rights and have acted appropriately with their data.” If all this is in place, Kolah says, “you won’t attract the highest level of penalty.”
The way to think about the GDPR “is to see it through three lenses rather than one,” he says. “Those three are – business continuity, risk and technology. Unless you can join the dots between these three things, you won’t achieve the outcomes that the ICO (the Information Commissioner’s Office) wants to see.”
What are those outcomes? “They’re straightforward. It’s not actually to be 100% compliant with the regulations – that would take the best part of four years.” In fact, it is that the Government “wants people to identify very high risk practices when processing personal data; to mitigate those practices; and to reduce them to residual risk.”
There’s no doubt the penalties are tough – “but it’s the companies that won’t take the opportunity the GDPR offers and instead try to do the minimum to get away with things – they are the ones that will suffer.”
Checklist: three key steps to prepare for the GDPR
- Start with a thorough audit of what data you collect. “Look at how it is collected, why it is collected and by whom,” says Kerry Beynon. “Ensure senior management is on board and go through your organisation methodically, department by department.”
- Look at where and how the data is stored, and who it is shared with. “Are your storage systems secure? Do you have appropriate contracts in place with third parties? What is the legal basis of your processing the personal data?”
- Get management buy-in early on, and make sure the importance of compliance is communicated from the top down. “Once everyone in your firm is on board,” Beynon says, “you need to ensure that all policies relating to data storage and usage are clear and accessible at all times and that procedures are adhered to.”
Finally – has Westminster prepared us adequately for the impact of the GDPR? “There needs to be greater awareness in unregulated markets, and I don’t think the Government has sufficiently addressed that,” says Kolah. “It’s all falling on the ICO and they are going to have quite a job monitoring it.” Kolah would like to see a more joined-up approach. “I think the European Commission will push out more information after January 28, when a programme will be launched to advise on our access to personal data.”
The key is to educate small businesses. Fortunately, in accountancy and other regulated markets, there is generally a much higher awareness of the GDPR. But elsewhere, lack of understanding of the GDPR is going to cause problems for companies who will suddenly have to work hard to be compliant. Keep ahead, however, and you will be on track.
Mark Blayney Stuart is Business Journalist of the Year, Wales Media Awards 2017 and Former Head of Research at the Chartered Institute of Marketing.