It’s official, the EU General Data Protection Regulation (GDPR) is now less than one year away. As the countdown to implementation intensifies, speculation over how the regulation will affect businesses continues to make headlines. While it is inevitable that small businesses will be affected, they can limit the negative consequences by understanding the regulation and putting thorough preparations in place.
From May 2018, when GDPR is due to be implemented, fines for non-compliance could reach €20 million or four per cent of annual turnover, whatever is higher. It is therefore particularly important that small businesses are prepared as fines of this size could have crippling consequences, not to mention the irreparable reputational damage caused.
So, what can be done to prepare?
Data audit
Firstly, GDPR applies to all businesses, from independent coffee shops operating public wifi networks to larger corporations handling any type of Personally Identifiable Information (PII). Small businesses would be well advised to conduct a full audit of the data they currently hold and understand what their information estate looks like.
It is essential that they are clear on the information they store, how it was obtained, how it’s processed and where it’s stored. All data should be able to show a full audit trail. It is vitally important that small businesses address awareness around data protection and regulation as even honest mistakes could cost a significant amount of money once GDPR is in place.
Obtaining consent
Obtaining consent is a key focus of GDPR. The regulation clearly states that consent and or a valid legitimate interest to process data needs to be in place, along with good data protection practices. Privacy policies and fair processing notices need to be open, honest and transparent of what the data will be used for. Hiding consent in the small print and confusing wording just won’t cut the mustard anymore.
Customers must also be provided with clear options to opt-out at any time, respecting the wishes of the consumer is paramount to gaining trust and long-term loyalty. Small businesses also need to ensure that they have procedures in place to suppress details of customers who decide to opt-out and that those wishes are respected.
Ultimately, it’s a question of trust; businesses need to prove they will store information responsibly. Customers also need to be aware of the benefits and value of sharing their personal data. By analysing and segmenting existing customers, businesses can conduct highly-targeted marketing campaigns.
Using information on lifestyle characteristics, attitudes, buying behaviour and communication preferences, businesses can build on the unique relationship they have with each customer, but customers need to be aware this is what their data will be used for. Businesses can then identify and nurture the most receptive customers to ensure a profitable long-term relationship and build brand loyalty.
Data portability
Data portability allows individuals to obtain and reuse their personal data for their own purposes across different services. This is another clear focus of GDPR, and means that small businesses will be obligated to hand over personal information to competitors, at the request of the customer. Instead of worrying about the risk of losing customers, small businesses should view this as an opportunity to win new customers from their rivals. Again, procedures must be in place to ensure that information can be easily accessed and transferred if and when necessary.
Counting business days
A year may sound like a long time, but counting the actual business days before implementation highlights the need to prepare now, and that now stands in the region of 160 days. This is widely considered to be the biggest data shake up of recent years and will impact businesses big and small. While it should have positive long-term implications, businesses should not underestimate the preparation required to avoid fines for non-compliance and need to remember this will be a regulation not guidance.
Such a significant change in legislation is likely to require a shift in office culture. For many, abiding by GDPR will require a drastic change in the way customer information is managed and how consumers are contacted. It is vital that all employees, regardless of level of seniority, are aware of the changes and the severity of potential fines.
This is particularly important for small businesses, who often don’t have the capacity to dedicate a department to compliance or the funds to pay for costly fines. Data protection and information management is a companywide matter not just confined to the compliance department.
This may sound daunting, but it is important to remember that GDPR is designed to improve customer relationships. Small business could experience a decrease in the size of their customer database, but they have little to gain if consent wasn’t transparent when obtained. Quality over quantity will come in to play and remaining customers are likely to be much more open and receptive to marketing.
At a time when trust is at an all-time low, preparing for GDPR is a great way to demonstrate transparency and build profitable relationships with both new and existing customers. Those who use the next few months wisely have nothing to fear once GDPR comes into force.
Andrew Bridges is data quality and governance manager at REaD Group