GDPR for SMEs – Four Common Myths Busted
The EU General Data Protection Regulation (GDPR) comes into force on 25 May this year and represents the biggest change to data protection legislation in Europe for over two decades.
The stringent new rules are designed to govern how organisations treat personal information, putting individuals firmly in control of the way their data is used. Privacy, security, accuracy and accountability - these are the overarching values of the GDPR and must be embedded into every aspect of your Company.
Working in partnership with Maximizer to help SMEs navigate their compliance journey, Bridewell Consulting have come across some significant misapprehensions surrounding the implications of GDPR. Here, we dispel four common myths to help you understand what it means for your business and how you can turn compliance into a commercial opportunity.
Myth #1 - “It doesn’t apply to SMEs.”
GDPR affects every organisation, regardless of size and location, which holds personal information on data subjects, as consumers or employees, in the EU. In practice, the principles guiding how data should be collected, processed, shared and stored apply to virtually every business within the EU, as well as those beyond Europe that process data on individuals within the Union. There’s no exemption for small businesses or sole traders.
Many SMEs appear to have their heads in the sand at the moment but they should delay no further in getting up to speed with their responsibilities.
If you are a “data processor”, for instance a supplier handling personal data under the terms of your client contracts, compliance could be a make-or-break factor in securing business in the future. Both controller and processor shoulder compliance responsibility and either or both could be liable to pay compensation or fines.
Controllers are therefore scrutinising the data practices of all third-parties processing data on their behalf. This is leading to thousands of contracts being rewritten to incorporate GDPR compliance. Processors must raise their game if they are to meet what will soon become a standard contractual requirement. Even if you commonly pass sales leads to a business partner, for instance, you must ensure that they too are GDPR compliant.
Although the Information Commissioner’s Office (ICO) recognises that not every company will be 100% compliant from the enforcement date, it is imperative to set your compliance wheels in motion so you can demonstrate progress in protecting the data you hold on your staff and customers. If you suffer a data breach, you will need to be able to report it to the supervisory authority without “undue delay” and not later than 72 hours if you believe it could have an effect on the “rights and freedoms” of individuals.
Myth #2 - “We’ll have to re-permission our entire database.”
Perhaps the most high-profile and widely misunderstood element of GDPR is the stricter requirements around consent. Obtaining renewed consent – or ‘re-permissioning’ – is time-consuming and runs the risk of individuals simply withdrawing their consent or not replying, but it can also be an opportunity to cleanse your customer data.
However, consent is just one of six lawful bases on which organisations can process personal data and/or perform marketing activity. In fact, the primary requirements regarding marketing fall under the Privacy and Electronic Communications Regulation (PECR), the less well-publicised but equally vital piece of legislation that is currently being amended to come into effect alongside the GDPR.
You are probably in the midst of conducting a data audit to understand the data you process and where it is held. During this audit, you will probably find that some of your data processing can be justified on a different legal basis to consent, particularly where you have existing client relationships. Some direct marketing will continue to meet the criteria for “legitimate interests”, as long as the processing does not override the rights of the individual. We would advise in these instances you review and document a clear rationale for selecting legitimate interests as your basis to process.
That said, a proportion of your database is likely to be non-compliant and require deletion or re-consent. But focusing on re-permissioning rather misses the point of GDPR. If your contacts would not give you their “clear, affirmative” consent, are they honestly valuable prospects or truly engaged customers? Slimmed down GDPR-compliant databases, are a truer representation of the people who want to do business with you – the ideal springboard for more personalised customer relationships based on trust.
When it comes to lead generation, consider the value you are offering prospective customers in exchange for their data. Creative engagement techniques such as content marketing to draw prospects in and capture their details, whether in-person or online, will play a far greater role.
Myth #3 – “Our CRM provider is GDPR compliant, so we’re covered”.
Many companies are asking their CRM providers if their solution is GDPR-compliant. As it’s your data that needs to be compliant, the question you should ask is “how can our CRM help us achieve compliance?”
GDPR calls for “technical and organisational measures” and a properly configured CRM certainly fits the bill, offering the ability to create a central data register to support auditing and indexing work; automating processing rules to manage preferences and opt-outs; and integrating with your email system. This level of sophistication will prove almost impossible using spreadsheets such as Excel.
Also question any Software-as-a-Service solution providers who handle your customer data - including CRM - about the compliance of their data centres, checking that they are holding your data to strict GDPR-compliant standards especially if any data is held outside the EU.
Don’t let technology eclipse the equally vital need for “organisational” change. GDPR requires an overhaul of policies, attitudes and processes; staff must be trained so they understand the key principles of data privacy and how to adhere to them.
Myth #4 – “We’ve got a mountain to climb”.
For companies in the UK, GDPR is an evolution of the UK Data Protection Act 1998, with a greater emphasis on accountability through transparent, documented decision-making. If your Company is compliant with the current law then you are already well on the way. Also, compliance doesn’t have to cost the earth; what’s important is having the right commitment to meeting your obligations by gaining oversight of your data, and improving governance and transparency.
The ICO publishes helpful guidance but if you are concerned about the integrity of data processes within your company, you should seek external support sooner rather than later. Maximizer and Bridewell Consulting’s structured GDPR compliance programme has been specifically developed for SMEs and is staged over 12 weeks. It guides companies through the necessary audits, reviews, process changes and policy formulation. Click here for more information.
Ultimately, your route to compliance must allow you to fully embrace the new era of data protection while capitalising on the clear opportunities to enhance customer relationships and drive sales. To quote the UK’s Information Commissioner, Elizabeth Denham: “Those that merely comply, that treat the GDPR as another box-ticking exercise…miss a trick because this is about restoring trust and confidence.”
It is clear that GDPR will have a significant impact on the way companies collect, use, share and store data. The new legislation is likely to involve changes to processes, technical infrastructure and mind-set. Being compliant is a key component to running a credible business - let us help you get GDPR ready. We have a collection of helpful resources to bring clarity to the upcoming legislation.
Sign up for GDPR updates here delivered directly to your inbox
Check out the Maximizer GDPR information hub web pages for up to the minute information.
For best practice advice and to review your current processes take a look at our 12 week GDPR Compliance Programme information.
Alternatively email our Team at GDPR@maximizer.co.uk who are keen to help you with your compliance journey.
Anthony Young has been in the computer security industry since 2000 and is the founder and Chief Partner of Bridewell Consulting, responsible for the security contract division. Bridewell have proven indepth knowledge of supporting organisations in various industry sectors, helping them comply with applicable privacy requirements especially, more recently, around GDPR. With industry proven methodologies Bridewell are able to interpret privacy legislation and advise on how it is best applied to each client’s business operations.