Updated: Feb 14
When the EU fully enforced the GDPR back in May of 2018, there were many speculations and doubts on the consequences, and whether or not SMEs will need to adhere to the full extent of the regulations or not. A common misconception that followed was that the GDPR was seen as a data privacy law that would only be looking into the data protection practices of big multinational enterprises. After over a year since it’s enforcement now, we are able to see the first results on the extent of how the GDPR can apply to each type of business, and what best practices businesses can turn to in order to stay aligned to the obligations. In this blog post, we look into the important points SMEs should know in regards to the GDPR and how the regulation can be turned into a benefit, rather than a burden.
With the big multinational companies taking huge blows of GDPR related fines, such as Google’s €50m fine from the CNIL or the €204m fine issued to British Airways, it is a common misinterpretation that the GDPR only takes its toll on larger enterprises. On the other side of the spectrum, hefty fines on a different scale have also been issued to smaller businesses. For instance, a €400,000 fine was issued by the CNIL to real estate firm, SERGIC, and a smaller performance advertising company, QuickClickNow, has been hit by a €47,000 fine issued by the Polish Data Protection Authority.
A research conducted by the GDPR.EU in May 2019, looked into how prepared SMEs were in Spain, the United Kingdom, France and Ireland for the GDPR. The research showed that around half of the SMEs in these markets were not GDPR compliant on two crucial requirements: describing data processing activities in a clear, understandable language to data subjects, and identifying a lawful basis for using someone’s data.
The research also found that 27% of SMEs had spent around €1,000 on compliance efforts, 24% had spent around €10,000 but 10% had not spent any money at all. Most of the SMEs that had invested into their compliance efforts expressed that this investment did not dampen their growth, instead, has made the organisations more confident in their data handling.
The must-knows for SMEs on the GDPR
The GDPR does not necessarily have a “small business exemption” as SMEs with more than 250 employees must abide to the GDPR just as other larger companies would. However, the GDPR does point a few differences for SMEs with less than 250 employees. It is important to note that this does not make the business exempt from all other aspects that has been set out in the GDPR. Below are some of the key points in regards to the differences:
• Companies with less than 250 employees do not have to keep records of their processing activities unless the processing of personal data is a regular occurance/activity, poses a potential threat to individuals’ rights and freedoms, or includes sensitive data or criminal records.
• SMEs large and small are required to appoint a Data Protection Officer only if processing is their main business and it may also pose threats to an individuals’ rights and freedoms. An example could be monitoring individuals or processing sensitive data or criminal records in particular as it is done on a large scale.
• As mentioned earlier in the blogpost, a study revealed that often times SMEs have trouble identifying legal bases and as a result, overlook the importance of knowing one when it comes to processing data. Taking time to look through the legal bases is a must for all data driven SMEs.
Importance of Embedding the GDPR into an SMEs culture
Taking the necessary steps to ensure a much more data privacy oriented work ethic is vital for SMEs. Businesses should be aware of the responsibility they have that has been set out in the GDPR. The perception of the GDPR being another safeguard/obstacle that the company should get over should be changed. Instead, the GDPR could be seen as a key influence on corporate identity and a helpful push to becoming more conscious of data protection and privacy.
Just to give a few examples, numerous benefits on business growth has been shown for businesses that consciously invest into their efforts of complying with the regulation. In fact, research has shown that businesses who show a significant amount of transparency to consumers get a significant amount of trust in return. Below are some of the top benefits GDPR can bring for SMEs.
Target marketing is done more effectively
One of the key requirements of the GDPR is that businesses who collect personal data from individuals must have specific opt-in consent from individuals, for companies to store and collect such data. A specific opt-in consent is also needed for companies who want to use such data. This consent must also clearly lay out why such data is needed, just as it must lay out what it is being used for. Despite it likely being a lengthy process, this can be seen as an opportunity to be more focused with marketing strategies. By taking the necessary steps to ensure consent and transparency on the data that is being collected/used from customers, you will have the chance to experiment with tailoring your message to specific needs of the audience which may result in higher engagement, higher trust, and an overall higher opportunity to grow.
Strong structured data management
Businesses are required to be aware of the data they hold on individuals. With this responsibility, businesses must audit the data they have. By auditing large amounts of data with utmost care, there will be a better structure on the data management processes. Data should also be stored for a period of time that takes into account the reasons why your business needs to process the specific set of data. Also taking into account any legal obligations that will allow you to keep the data for a fixed period of time. The GDPR strongly highlights the importance of establishing time limits to delete or review the data that has been stored, giving businesses the obligation to have a complete thorough overview on all the data.
Building an overall trust and strong relationship with customers
Being GDPR compliant will support the growth of the business in helping you create a more trusting relationship with customers and potential customers as well. Gathering consents to use data subjects’ data, taking the necessary safeguards to protect data and using the data to create a more tailored experience for the audience will ensure stronger relationships. As individuals become more and more aware about how their data is handled, highlighting your stance on transparency may be a differentiating factor to competitors.
We see that the GDPR is something to be embedded into the culture by companies large and small, as the need to ensure data privacy continues, companies must also keep up with requirements and make necessary adaptations. Not only should the GDPR be seen as a push to further data transparency, but it should be seen as a push to encourage a data privacy culture in the workplace.
This article does not constitute legal advice.
The opinions expressed in the column above represent the author’s own.