Close Brothers’ research suggests too few SMEs know about changes to the laws around data protection, let alone the consequences of falling foul of the regulations.
Is your business preparing for new European Union laws on data protection, which come into effect in April 2018? If not, you’re not alone – in the most recent Close Brothers Business Barometer, 82 per cent of SMEs said either that they had never heard of the General Data Protection Regulation (GDPR) or that they didn’t understand its implications. Nevertheless, now is the time to start thinking about it.
Groups such as the Federation of Small Business have long been concerned about how the GDPR might hit SMEs and have run campaigns to protect smaller businesses from some of its provisions. But while these efforts have achieved some success, SMEs will still need to ensure they’re compliant with the new regulations that impact them.
Now is the time to take action. The GDPR was adopted by the UK in April 2016 and will take effect in April 2018 onwards when businesses that breach the regulation could face very damaging penalties. City law firm Allen & Overy warns these could be as high as 4% of your annual turnover.
You may decide that your business requires specialist advice, but as a starting point, consider these four priority areas for action:
Audit your current data practices
The main question is, how much of your data would conform to the GDRP right now if the legislation were in force? To answer that, you need to understand what data you have, where it is held and how it moves around your organisation. Look at whether customers have opted-in to you holding data on them, and the extent to which this applies across mail, email and phone. Can you show where these permissions came from?
Appoint a data protection leader
It’s crucial that you appoint a senior individual in the company to take responsibility for data protection and compliance. If you have more than 250 members of staff, you’ll be legally bound to have a named data protection officer. However, even if it isn’t mandatory for your business, putting a competent leader in place who has the credibility to drive your firm’s response will be a crucial step.
Address how you get customer consent
The basic principle underlying much of the regulation in the EU’s new legislation is that organisations must have an individual’s explicit agreement to hold or process any data on them. You will therefore need to review your consent forms very carefully – they should give people a clear option for opting in, and unticked or pre-ticked boxes will not be counted as evidence of permission.
Reconsider your customer relationships
More broadly, the evolution of data protection laws is part of a growing awareness amongst consumers that their data is a precious commodity. In future, if you want to hold and use customer data, it’s likely that you’re going to have to prove to them that there’s something in it for them too. Think about how you can show you’re providing value in return for their information.