Business Law & Compliance
GDPR beyond compliance need: a value-adding tool for SMEs
7 min read
04 November 2019
It was difficult to miss GDPR coming into force last May. The press was awash with horror stories on what could go wrong. But shall we take a look at what's 'right' about GDPR?
Many entrepreneurs saw the GDPR fuss as yet another obstacle to doing business and were of the view that it was Y2k all over again.
But just as computers didn’t all crash on 1 January 2000, businesses did not stop marketing on 29 May 2018. More than one year on, what are we to make of GDPR?
Is there a high risk of fines and sanction by the ICO?
There have been some very large £100m+ fines for British Airways and Marriott hotels from the ICO, and elsewhere in the EU, Facebook and Google have also been fined significant amounts.
Fines set ‘an example’
The ICO continues to impose lower level fines but in small volumes, and generally more as an example to others. The threat remains if bad conduct is at scale and deliberately ignoring data protection rules, but more widely, businesses could be forgiven for thinking that consequences are unlikely to materialise.
Before GDPR is relegated to the bottom of the pile, however, it is worth considering the business case. Compliance can bring several business benefits to SMEs in all sectors:
1. Data mapping
One of the disciplines new to most businesses preparing for GDPR was understanding where personal data was held and why. Previously, hard copy filing, IT filing and archiving tended just to be added to when the last file was full. Most businesses tend to keep things just in case. In practice, this means far too much is kept and it is difficult to find important things.
Throw staff turnover into the mix…
Staff turnover and a lack of filing discipline in common systems can cause even more confusion. The data mapping process can identify unnecessary duplication and redundant storage, making retrieval easier and saving on cost.
2. Data security
A key aspect of data mapping is spotting where there is a high risk of a data breach. A company is liable if it loses someone’s personal data and has not taken reasonable steps to protect it. This leads neatly on to cyber and data security.
Many IT companies will offer cybersecurity checks but it is important to understand the value of the data that might be lost.
Valuables are stored in a safe while paperclips are kept on the desktop, and the same rules apply to data. Security should be proportionate to the value of the data being held to get better value from IT spend.
3. Subject access requests
Under GDPR, individuals have the right to be provided with all data held by a business that refers to them. In this scenario, data ceases to become valuable and becomes a liability. It is like discovering a building has asbestos.
The action to take is to get rid of as much asbestos as possible and then manage the remainder so that it is less of a threat. It is exactly the same approach with personal data.
Some documents will need to be retained for legal reasons, financial ones for 6 years for example, but anything older can be disposed of. A retention policy will help inform activity and help to minimise costs.
4. Understanding the legal basis
There are several legal bases for using personal data. The main areas relevant for most businesses are consent, contract and legitimate interest. It is important to know which basis you are relying on. Use of personal data by a website requires consent but employees and customers are far more likely to be covered by the contract.
Think about the ‘risky areas
Marketing can be covered by legitimate interest. Each area requires a different legal basis and staff need to know which one applies to their responsibilities. This will cut down on unnecessary cries of “we can’t because of GDPR” but encourage the team to stop and think about the riskier areas.
On this basis, an annual briefing on GDPR should save time and money.
5. Confident marketing
The ICO does not want to stop marketing taking place but it does want to stop bad marketing that ignores the rights of individuals. It is best to be sure of your ground, which also provides confidence for sales and marketing people that they are acting legally.
They need to understand the data protection rules for websites, telephone, email and hard copy marketing because each channel has specific issues.
GDPR isn’t a restriction…
Directors need to be confident that risks are being considered and managed. GDPR has proven a headache for businesses across all sizes and sectors, as few realise that putting GDPR-compliant processes in place can add value to their business and improve financial efficiency.
Tackling the misconception that GDPR poses more restrictions than it actually does is a key step to create a healthier and more productive relationship between SMEs and the new regulation. In reality, there are good business reasons for every organisation to get GDPR ready.