We #StandWithUkraine, find out how to help here.
Last updated: 06.12.17

What impact will GDPR have on small businesses?

The new European General Data Protection Regulation (GDPR) represents one of the most important changes to business legislation in recent history, ushering in a new era of data protection and security when it comes into effect on May 25th 2018.

However, despite the far-reaching nature of this regulatory reform, there remains a significant number of companies who seem unaware of the extent to which GDPR will affect them. Many erroneously believe it will not affect them at all, while others are simply ignorant of the idea in general - indeed, a report from NTT Security earlier this year indicated that only around 40 per cent of organisations worldwide believe GDPR will have any impact on the way they operate.

These oversights are often most common among smaller companies, who may lack the industry perspective to understand GDPR, or perhaps consider themselves small enough to skirt under the radar. However, the reality is that GDPR is just as relevant for small and medium-sized enterprises (SMEs) as it is for multinationals - and that these businesses need to work just as hard to prepare if they wish to remain compliant.

What is the GDPR?

The overall aim of GDPR is to provide EU citizens with enhanced control over their personal data, offer additional protection from data breaches and give consumers greater say over issues that might affect their personal privacy

As such, business customers will soon be able to withdraw their consent for companies to use their private data, and to ask holders of data to erase it on request; additionally, all organisations will have to ask for specific permission when processing sensitive information, and to proactively make contact when any breaches occur.

The penalty for falling foul of these new rules is considerable, with firms facing fines of up to four per cent of their annual turnover. It's also vital to note that GDPR will apply to any company holding data on EU citizens, regardless of whether they are based in the EU, so the new laws will remain just as relevant post-Brexit - especially since the UK government has already taken steps to enshrine the new GDPR rules in British law.

What issues do small businesses in particular need to consider?

Because smaller companies generally don't store the same quantity of information as large global organisations, they may erroneously believe GDPR is less of a relevant issue to them, when in fact there are a number of ways that the legislative change will affect SMEs most of all.

Notably, smaller firms often lack the sophisticated formalised processes for data handling that larger companies have as a matter of course, which will make it harder for them to audit their databases and bring their practices up to scratch. This lack of a dedicated IT department may make it necessary for your SME to seek third-party support when getting up to speed with GDPR.

Of course, this reliance on external IT providers may be a source of GDPR complications in itself, as it means SMEs will need to clarify their contracts with service providers to ensure full legal compliance along the supply chain, as well as to establish that the necessary processes are in place for handling future customer requests.

What steps should your business prioritise?

With May 25th fast approaching, it's therefore vital that SMEs consider the most important actions they can take to make sure they're ready for the change.

First and foremost, this means carrying out a thorough audit of your current databases and processes - including those managed by third parties - with particular attention given to how privacy information is communicated to clients and users. It's also vital to review your organisation's approach to handling data breaches, and to make sure you're in a position to detect and report a security incident in a proactive manner.

Once this has been done, the work to bring all of these processes up to GDPR standard can begin. This may involve the appointment of a dedicated data protection officer, but more than anything else it will require a commitment to ongoing compliance training, ensuring that all members of staff are able to keep pace with the evolving regulatory requirements.

By taking these steps, you can make sure your SME remains a trusted custodian of personal data, while reinforcing your credentials as a modern, agile, data-driven 21st century business.

Summary: The new European General Data Protection Regulation will come into effect in May 2018, so it's vital that small businesses recognise the steps they need to take to ensure compliance and do so as soon as possible.

Related resources