GDPR shambles leaves SMEs with compliance concerns

By James Pressley

When the GDPR was first announced, there was a general expectation that a certification scheme would be in place well before the implementation date to award companies of all sizes a ‘kitemark’ of government approval. After all, the change in mindset, marketing materials and technology required to comply with the new regulations – which come into force on May 25 – is no small undertaking, and it is important to SMEs in particular that when it comes to red tape, they’re doing it right.

For those still in the dark, the GDPR is about the EU strengthening enforcement and compliance with data protection legislation across member states to ensure all consumers have their data properly protected. It was assumed that easily recognisable certification seals or marks would be awarded to GDPR-compliant businesses to reassure consumers that their data was being properly dealt with by firms under a government-approved scheme.

This assumption was not borne out of false hope, but of detailed information set out by the EU in articles 42 and 43 of the GDPR in which member states are encouraged to establish their own non-compulsory certification schemes.

Each EU country has their own body responsible for this; in the UK, it is the Information Commissioner’s Office (ICO) that is responsible for establishing both a certification scheme, and the ‘kitemark’ that would identify a business as being compliant. The scheme was supposed to have been well in place by now, providing companies – many of whom have spent a small fortune on ensuring they’re adhering to the Regulations – with the equivalent of a big tick to officially approve their efforts.

The compliance ‘kitemark’ stamp was to be issued for three years, at which point it could be renewed under the same conditions, as long as the GDPR requirements were still met. However, with less than a week to go, there is still no certification body in place, and no ‘kitemark’ to signal compliant businesses either. Not only does this display a frightening level of disorganisation, it also leaves businesses in a precarious position when it comes to GDPR.

The fines for non-compliance are huge; up to €20 million or 4% of the company’s global annual turnover of the previous year; whichever is higher, and SMEs are frightened that, despite their best efforts, they may have overlooked something that will land them in hot water.

Many businesses who want to make sure they are doing the right thing have turned to supposed ‘GDPR specialists’, who claim to have government accreditation. The ICO has not yet certified a single body authorised to declare businesses GDPR compliant, so employing ‘GDPR specialists’ now could well be a waste of money.

The ICO would argue that they have produced guidelines on their website, as well as putting a helpline in place for SMEs and charities, but that is no substitute for the detailed analysis that firms would need to receive the accreditation that would assure them and their customers of their compliance.

Businesses do all they can to comply with what can often seem like endless red tape. The very least that the government can do is to confirm they’ve got it right.