27th August 2018

GDPR. So what now?

These are exerted from an article by Nicola Hartland, CEO and Founder, Data Support Agency on what’s next for SME’s in relation to GDPR.  

There’s been so much discussion about becoming compliant that little is known about what to do in a world post-25th May. But the impact of GDPR is coming and it’s important to know what to expect. So, what happens now the deadline has passed?


Those who are still non-compliant

In February, the Federation of Small Businesses (FSB) revealed that 90% of small firms were not prepared for GDPR. On enforcement day, this statistic hadn’t much improved with FSB national chairman, Mike Cherry, stating: “the likelihood is that many of the UK’s 5.7 million smaller businesses will not be compliant”.

The confusing nature of the legislation doesn’t help things either. The regulation is based on general principles rather than stringent rules meaning that organisations have to interpret what they need to do to be compliant. For small businesses in the run-up to enforcement day, this meant cherry-picking aspects of the legislation that appeared to be the most important. So, post-25th May we can expect many small businesses to continue with their compliance procedures.

Many SMEs would be relieved to hear that the ICO is not looking to make an example of small businesses who fall foul of the new law. This is indeed reassuring for both small organisations who failed to get their data house in order in time for GDPR D-Day and those who could be at risk of a data breach due to a lack of in-house knowledge.

The ICO has stated that in GDPR’s first year, they’ll enforce the law by advising rather than penalising. So, rather than toss their compliance plan to the bottom of the in-tray, SMEs should see this statement as an opportunity to play compliance catch up.


Surge in reporting?

The impact of GDPR in practice has become transparent in the last few weeks i.e. the flood of emails with updated privacy policies while begging subscribers for consent. Many businesses may over-comply due to penalty anxiety engendered by media reports. This could result in a surge of breach notifications as small businesses start to detail instances to the ICO that don’t require reporting.

Additionally, data subjects may be keen to take advantage of the new rights they’ve acquired, whether it be asking organisations to delete all the data they hold about them or exposing companies of non-compliance. The latter was the case of an Austrian activist accusing Facebook, Google and their respective subsidiaries of data breaches on enforcement day. If an organisation doesn’t respond to a data subject access request (DSAR) within 30 days, the data subject can file an official complaint with the supervisory authority.


Future challenges

It’s likely that individuals will increasingly take advantage of their newly bestowed data autonomy by exercising access requests. However, an increase in SARs could strain the infrastructure of many small businesses if they haven’t implemented a smooth process for responding and monitoring them. As such, it’s paramount that a resilient process is in place for businesses to act quickly.

GDPR compliance is expected to act as a figurehead for strategic decision-making as organisations start to choose to work with a business who demonstrate a commitment to data protection over their non-compliant counterparts. For instance, demonstrated data compliance would give a supplier business advantage over its non-compliant competitor. Similarly, GDPR focussed supply chains are more likely to retain and win contracts than those who are not. The message here is to always consider correct data policy as an integral element of business strategy rather than viewing 25th May as the finish line.

Over time, many companies will realise that they need resource aid – whether it be identifying data oversight or the integration of new policies into business procedures.


Moving forward

According to Eduardo Ustaran of Hogan Lovells law firm, the GDPR legislation is four to five times more complex than existing law. Adopting GDPR is going to be a learning process and inevitably it will take small businesses time to find their feet.

But now that the enforcement date has passed, and the initial sense of panic has dispelled, SMEs have the opportunity to start or progress their GDPR project in a structured, properly thought out way that is tailored to their organisation. The legislation will continue to be updated and the Government has confirmed that after Brexit the GDPR will still form part of UK law. As such, small businesses would be wise to keep an eye on the latest updates, the ICO website and the FSB website for amendments.


So where are you on your journey?  Are you reaping the benefits of working towards GDPR compliance?


Fatal error: Uncaught Error: [] operator not supported for strings in /homepages/19/d588205677/htdocs/app588206100/wp-content/themes/layerswp/core/helpers/post.php:56 Stack trace: #0 /homepages/19/d588205677/htdocs/app588206100/wp-content/themes/layerswp/partials/content-single.php(72): layers_post_meta(354) #1 /homepages/19/d588205677/htdocs/app588206100/wp-includes/template.php(772): require('/homepages/19/d...') #2 /homepages/19/d588205677/htdocs/app588206100/wp-includes/template.php(716): load_template('/homepages/19/d...', false, Array) #3 /homepages/19/d588205677/htdocs/app588206100/wp-includes/general-template.php(204): locate_template(Array, true, false, Array) #4 /homepages/19/d588205677/htdocs/app588206100/wp-content/themes/layerswp/single.php(21): get_template_part('partials/conten...', 'single') #5 /homepages/19/d588205677/htdocs/app588206100/wp-includes/template-loader.php(106): include('/homepages/19/d...') #6 /homepages/19/d588205677/htdocs/app588206100/wp-blog-header.php(19): require_once('/homepages/19/d. in /homepages/19/d588205677/htdocs/app588206100/wp-content/themes/layerswp/core/helpers/post.php on line 56