Business Law & Compliance

Find out how SMEs can avoid big GDPR fines and penalties 

4 min read

25 April 2018

With GDPR now only one month away from coming into effect, Real Business’s first webinar of 2018 focussed on what British business owners need to do to avoid costly fines and penalties under the new data protection rules.

This article was updated on 25 April 2018

Real Business was joined by James Castro-Edwards, a data protection expert and a partner on the data protection team at law firm Wedlake Bell.

He advised company owners on the measures required during the crucial last few months before the EU’s General Data Protection Regulations (GDPR) come into effect on 25 May.

Castro-Edwards kicked off the webinar with a 20-minute presentation on all things GDPR-related, including a background on the legal concepts behind the rules, the new principles behind GDPR and the changes that most business will be required to make.

Catch the webinar coverage in full below

He reassured business owners by stating that GDPR was “more of an evolution than a revolution” of existing data protection laws, and that any business that was already compliant with these would be in good shape ahead of GDPR coming into force.

Castro-Edwards clarified the legal obligations of businesses when using people’s personal information, and how they are to broaden under GDPR.

He said: “It’s very important that as an organisation, you understand exactly what your customers’ rights are, and that you uphold them. For example, if you’re holding someone’s personal data and they ask for it to be deleted, make sure your business has the processes in place to manage those requests.”

The presentation was followed by a lively Q&A session between Castro-Edwards and members of Real Business’s webinar audience. Regarding the use of personal information under GDPR rules, one viewer asked: “If someone hands you a business card at a networking event, does this automatically mean they give you permission to contact them directly?”

Castro-Edwards replied: “It all depends on what the expectations are of that individual. GDPR requires consent of the individual to then sell products and services to them. You’d need a positive affirmation from the data subject to use their information, requiring that subject to take action.

“The consent should be specific and explicit. Strictly speaking, there are quite a few hoops you need to jump through before you can start sending marketing material to people who hand you their business card at trade shows.”

One month until GDPR: Don’t be daunted by data

With just one month to go until 25 May’s GDPR deadline, small business owners should keep in mind the positive changes that the new data protection laws are designed to usher in.

Rather than view GDPR as potential hurdle for their business, owners should be encouraged by the collective impetus to improve the overall use of data, and excited about the associated benefits of better data.

As Mark Woodhams, EMEA managing director at NetSuite, told Real Business earlier this month: “GDPR should be seen as an opportunity to get the house in order and create operational efficiencies that will help businesses remain competitive and continue to grow in the future.”

“We’re only at the beginning of the data regulation journey. As the use of data continues to expand, it’s becoming more unsustainable for small businesses to put off incorporating data into day-to-day business processes. Those that are hesitant will at best miss out on growth, and worst may struggle to survive.”