Is your small business ready for GDPR?

As consumers, we share an increasing amount of data with businesses. Generally, it’s our choice, and often gives us an improved, more personalised customer experience – storing bank details on an ecommerce website for faster check out, for example, or providing our date of birth to a favourite restaurant to receive vouchers on our birthday. Now, the stakes are higher than ever for those businesses collecting this information.

For European businesses of all sizes, it has never been more important to protect customer data. Even organisations that have robust processes in place need to assess their processes and systems, policies and procedures, as the EU’s General Data Protection Regulation is becoming law. This Regulation applies to all processing of personal data, from collection, through to storage, distribution, retention and protection of data, security and cross-border data transfer. Those that don’t comply may be hit with huge fines, as penalties will range up to 4% of global revenue.

Adding to the potential cost is the fact that some businesses already feel pressured by the impact of the EU GDPR: a recent study found that up to 77% of businesses in the UK felt it added a financial burden to their business. 66% of businesses in France and 61% in Germany also felt the financial pressure1 with the need to make new investments in people, technology and processes a major concern.

Even the UK’s vote to exit the EU is no reason for organisations not to take action, as the Regulation focuses not only on where the data is located, but to whom it applies – and if it applies to EU citizens, then you need to be compliant. If your organisation does business with anyone in the EU; stores or processes personal data as part of that business, such as monitoring consumer behaviours or targeting advertising or websites at them; or employs EU citizens, the Regulation will still apply.

So, what does your business need to do in order to comply with the EU GDPR and avoid incurring hefty penalties? Here are a few initial suggestions to ready your business for the impending change:

  1. Assess the structure of your organisation and the skillset of your staff: business need to consider appointing data protection officers if they don’t have them already. Think about who in your organisation has the skillset to take on this role. Data Protection will become a Board level matter.
  2. Educate your business: start training your teams now so they can respond swiftly and accurately should they take a request from a customer to access, correct or delete their data or take it with them to an alternative provider.
  3. Review your governance and procedures, update privacy notices and consents, introduce privacy impact assessments on new products and services, and adopt best practices: clear desk policies, for example, help minimise risk as staff lock away all documentation at the end of each day.
  4. Make sure your physical communications are secure: data in both digital and physical form need to be managed, maintained and protected. Research shows that almost a quarter of security breaches relate to paper-based documents2. When it comes to mailing physical documentation, File-Based Processing is more accessible for smaller businesses thanks to advances in technology. It can have built-in document integrity with verification checks and a complete audit trail for mailings. Consider secure printing, too, and look at secure archiving for historic documents.
  5. Check your systems are fit-for-purpose: human error is one of the biggest causes of data breaches. Make it easy for staff to protect the data they generate and manage. Robust firewalls, encryption techniques and password-protection to providing VPNs and cloud storage are standard practice for businesses of all sizes now.
  6. Document and communicate a clear, fast and structured process in the event of a data breach taking place: how would staff report it? How would your business respond? How would you communicate it to customers and regulators in line with the new notification requirements? Would you have individuals available to manage communications and social media? What preventative measures could you take to stop the breach happening again?
  7. Consider mobility: although it may not be top of your agenda now, there will come a time when your staff want to work flexibly. Make sure your client data is protected however and wherever staff are accessing it.

The EU GDPR is there to protect your clients, your business and your own personal information. Taking steps now to implement controls, processes and best-practice management can provide your organisation with a strong, secure, robust foundation for growth.

For more information, ideas and insights head to

DISCLAIMER – This communication is not designed to provide legal advice and you should not take, or refrain from taking, action based on its content alone.