Even though the General Data Protection Regulation was adopted on 27th April 2016, only 8% of SMEs have stated that they are ready for when it goes live on 25th May 2018.
This would not be so bad if the other 90+% were well advanced in their preparations for GDPR but, in actual fact, survey results suggest that about a third of SMEs have not even started their preparations yet and another third have only just started their preparations.
GDPR is not necessarily complicated, but it is both thorough and wide-ranging and its nature means that at least some aspects of it are going to apply to even the smallest of companies, which means they need to be prepared for it.
There are two levels of fines for a lack of GDPR compliance. Level one is up to €10 million or 2% of the annual global turnover of the previous year (whichever is higher) and level two is up to €20 million or 4% of the annual turnover of the previous year (whichever is higher).
If that isn’t enough to get your attention, then GDPR also allows for managers to be sent to prison.
While acknowledging that these are maximum penalties for the most serious cases, it’s worth highlighting them to underline just how serious penalties can be under GDPR is when compared to the existing Data Protection Act.
The Information Commissioner’s Office (ICO) will have something of a balancing act to perform in the early months of GDPR. On the one hand, the government will be well aware that these are tough times for many SMEs and that the day-to-day realities of running a business will have led to some small businesses finding it a challenge to allocate the necessary resources to ensuring GDPR compliance.
On the other hand, there is no denying that SMEs have been given plenty of advance notice about GDPR or that they should really have been following many of its principles in any case, since the GDPR is really an update to the existing Data Protection Act, albeit one with considerably higher sanctions for non-compliance.
Only time will tell just how the ICO will go about enforcing GDPR, but common sense suggests it is likely to look more favourably on SMEs that are at least working towards compliance than on SMEs that are just burying their head in the sand.
That being so, SMEs should, as a minimum, start working on the basics of GDPR by undertaking the following steps:
- Performing a data audit – what data do you hold, where and why? Have you established consent for all of it and, if not, what steps do you have to take to obtain that consent (or delete the data)?
- Create a data policy – it doesn’t have to be complicated but it does have to be thorough and written down.
- Undertake staff training – at least for staff who handle data.
- Check your suppliers are GDPR compliant – don’t assume, ask.
- Develop a clear channel of communication for your customers – this is good customer service in any case.