The General Data Protection Regulation (GDPR) has many small businesses worried. So much so that the small business hotline at the ICO (the regulator in the UK) is experiencing large queues. Businesses are realising that the GDPR comes into force on 25 May 2018 and it is not going to go away.
Many small businesses will be viewing the GDPR as just more red tape that they must negotiate when they would rather be building and selling great products. However, the GDPR should not be viewed solely as a burden. Incorporating the GDPR into a business can mean better products and more sales. If implemented well, the GDPR allows companies to build customer trust and promote a positive reputation in the marketplace.
The GDPR: why small businesses should care
Small businesses should find it much easier to comply with the GDPR than larger businesses. Typically small businesses have fewer customers and therefore, less data. This means they are less likely to be bogged down with bureaucracy, they can implement changes quickly and take commercial advantage of those changes. It is small businesses that are best placed to turn the GDPR into better products and greater revenue.
However, if small businesses choose not to see the opportunity offered by the GDPR, then sooner or later they are going to realise that they have to take steps to comply with this new law if they want to remain competitive. For example, yesterday we were contacted by a small business client that had been offered a fantastic opportunity to enter into a partnership with one of Europe’s largest mobile phone networks. All was going well in business and product terms until the mobile phone network said that before they could proceed any further, the legal department needed to know what steps the small business had taken to comply with the GDPR. That small business was not prepared. The opportunity is in jeopardy — and this is not an isolated case.
Large companies are typically better prepared for the GDPR. One consequence of this is that large companies are only able to do business with smaller companies that can guarantee that they have a GDPR compliance programme in place. The GDPR means that large companies can’t take risks with non-compliant small businesses, or start-ups.
If the loss of potential business opportunities does not convince small companies to take steps to comply with the GDPR then the risk of penalties and reputational fall out may do. We do not want to overstate the risk of fines and other enforcement actions (see our article on the topic here). However, all businesses small and large will need to report data breaches under the GDPR and the reputational damage that such a breach could cause may have dire consequences for a small business in particular.
GDPR preparation for small businesses
Educate yourself and your staff
The leaders of small businesses should be aware of their responsibilities. This means fully understanding what “personal data” is. They should know if they are a “controller” or a “processor” (you can find out which one you are in our article here). They should make sure that their staff understand what it means to be compliant with the GDPR and how they all have their role to play.
Know what personal data you have got and what you do with it
A record should be kept of what personal data you process, where it is stored, what legal basis you have to process it, how long you keep it, who you share it with and what you do with it when you no longer need it.
Make sure that individuals know what you do with their data
Privacy policies need to be drafted to comply with the GDPR. They need to be easy to understand and point out to individuals their rights in relation to their personal data.
Be careful who you share personal data with
Create a list of which companies you share personal data with. Make sure that those companies are safe companies to share personal data with and that they comply with the GDPR. It is important you have a written agreement with those companies.
Make sure that you are protecting personal data
Keep all personal data safe from loss, destruction, corruption or theft. Your staff should understand what the GDPR means for them. They must keep their laptops safe and not use unencrypted devices or personal cloud storage for personal data.
Make sure that you can demonstrate that you comply with the law
Keeping records is vitally important. You need to show that you have taken the necessary steps to comply with the GDPR. This means that you should have a suite of records and policies that support your compliance programme.
Zzish: turning the GDPR into a competitive advantage
The Privacy Compliance Hub helps businesses of all sizes and in all industries. One of our first customers was a small business called Zzish. Zzish provides an online platform for educational app providers which is distributed to schools. Schoolchildren and their teachers access the online platform to take part in educational games and their progress can be tracked.
This has obvious data protection and privacy implications. After all, we all want to make sure that the personal data of our children is kept safe. At the same time, we want our children to be educated using the best educational tools available. Zzish was quick to see the advantage of being able to say that it uses the state of the art data protection compliance programme offered by The Privacy Compliance Hub to make sure that the personal data of its users is respected and protected at all times.
The Privacy Compliance Hub offers all businesses small and large with what they need to comply with the GDPR. Please feel free to get in touch for a free demo of The Privacy Compliance Hub, or to discuss how we can help your business comply with the GDPR in a simple, cost-effective way.