GDPR – Dispelling the myths Pt I

By Mike Richardson, Managing Director EMEA, Maximizer Software

The EU General Data Protection Regulation (GDPR) comes into force on May 25 and is the most significant change to data protection legislation in Europe for over two decades.

But in our recent experience, many SMEs are still unsure what the regulation means for them. In most cases, the simple fact is that ‘business as usual’ is not an option. Privacy, security, accuracy and accountability – these are the overriding values of the GDPR and must be instilled into your company and its operations at every level.

Working in partnership with Bridewell Consulting to help companies embark on their compliance journey, we’re encountering some misapprehensions surrounding the GDPR – so over the next few weeks, we’ll dispel some of the common myths and suggest how you can turn your compliance responsibilities into an opportunity to reap greater business value from your data.

Myth #1 – “It doesn’t apply to SMEs.”

First and foremost, we need to address the fundamental misconception that the GDPR doesn’t apply to small businesses. In fact, GDPR is designed to govern how every organisation treats its personal information, putting individuals firmly in charge of the way their data is used.

The size and location of your business is irrelevant; if you hold personal information on individuals in the EU, as consumers and employees, then the regulation applies. In practice, this means that the principles guiding how data should be collected, processed, shared and stored apply to virtually every business within the EU, as well as those beyond Europe that process data on individuals within the Union.  There’s no exemption for small businesses or sole traders.

We are certainly finding that many SMEs have their heads in the sand at the moment – but the reality is that GDPR represents the dawn of a new era of data protection and with under 100 days to go until the enforcement date, you do need to get up to speed with your responsibilities.

Quite apart from the statutory side of the regulation, compliance could become a make-or-break factor in securing business in the future. Why? Under GDPR, both data controllers and data processors shoulder compliance responsibility, with either or both being liable to pay compensation or fines.

So if you are a “data processor”, for instance a supplier handling personal data for your clients, then you will find that the data controller will extend its scrutiny of data practices to your business, as a third-party processing data on their behalf. In practice, thousands of contracts are being rewritten to incorporate GDPR compliance, so processors need to get their data houses in order if they are to meet what will soon become a standard contractual requirement.

Equally, if you are passing sales leads to business partners you need to ensure they are also GDPR compliant. It is clear that every SME will not achieve full compliance by May 25, but what’s important is to understand your obligations now so you can start assessing what data you hold, whether it is lawful to do so, and what changes you need to make.

For most companies, the processes necessary for GDPR compliance can deliver many commercial advantages. After all, data is the lifeblood of most organisations these days and how many SMEs are truly confident of the accuracy and consistency of their databases? This is the perfect opportunity to take control of sprawling (and in some cases, disparate) data repositories and to engage at a deeper level with your contacts.

GDPR-compliant databases will result in less wastage from your sales campaigns, improved targeting and warmer leads. What’s more, taking a proactive attitude to giving your contacts control of their data can only enhance your customer and prospect relationships. As the UK’s Information Commissioner Elizabeth Denham puts it: “Those that merely comply, that treat the GDPR as another box-ticking exercise…miss a trick because this is about restoring trust and confidence.”

Coming next: Myth #2 – “We’ll have to re-permission our entire database.”