Businesses are collecting more personal data than ever before. But with the GDPR policy coming into effect next year, are small businesses ready to make changes to how they collect, store and use their data?
Could your business take a £310,000 financial hit? If it could, well done. If not, then you’re in the same boat as most businesses out there. That figure is the average maximum cost of a data breach, up from £115,000 in 2014.
The collection and use of personal data has been growing rapidly. Websites, apps, devices – everything we use creates data which is all going somewhere. And a lot of the time people don’t know where or for what reason, leaving a lot of customers unhappy. That’s where the General Data Protection Regulation (GDPR) comes in. It is a new set of rules governing how businesses collect, use and share data from EU citizens and people within the EU. This doesn’t just mean businesses within the EU, but any business globally that does business inside the EU.
So, businesses of all sizes will be subject to a new set of rules when it comes to acquiring, using and storing personal data. It will become active in May 2018 – less than a year from now.
Rising levels of cybercrime are an important factor in the quest for data compliance. The storing aspect of GDPR refers to how businesses keep customer data safe – if there’s a breach and customer data is compromised and you aren’t compliant then there will be fines to pay.
Some SMEs assume that because they’re smaller in headcount and profit margin relative to multinationals, they’re not on the radar of hackers. This couldn’t be further from the truth. If you’re not investing in security, training and data compliance about how to work securely then you’re an easy target. In other words, you might not have the same potential value to a hacker but you might be a lot easier to hack.
And importantly, you’ll be hit by the same fines and penalties from GDPR. Once GDPR comes into force on 25th May 2018, you could be fined up to €10 million (£7.9 million) or 2% of your global turnover (whichever is greater) for lesser breaches. Or for more severe breaches, €20 million or 4% of your turnover – whichever is greater.
Add this fine to the cost of the time your business is out of operation post-breach, to loss of earnings, loss of reputation and loss of customers, and most businesses would be out of action in one fell swoop. Studies from the Federation of Small Businesses (FBS) show that 66% of small businesses have been a victim of cyber crime. Shockingly a small business will be a victim of four cyber crimes every two years. The amount lost totals billions.
But don’t forget that while data security is a large part of GDPR, at its core, this regulation is about the correct use of data.
The next steps
GDPR is a daunting prospect, but it’s also an opportunity for change. Zach Thornton, External Affairs Manager from the DMA says that getting prepared for GDPR should be seen as a chance for digital transformation. So, it’s with that outlook that we think it’s time to start taking positive steps and making changes to your business before the May 2018 deadline.
Don’t delay your preparation. It’s essential that you don’t stand still. GDPR isn’t waiting for anyone, so the longer you take preparing and thinking about resources, the longer it’s going to be before you’re in a better position to prepare.
Involve your whole business. Stats from PWC have revealed that 30% of small businesses suffer breaches due to the actions of their staff. Educate people at every level of the business and help them understand why their section of the business is being involved. Marketing departments, for example may be using platforms like Dropbox, Evernote or Slack, which each contain their own ecosystem of personal data. This should include everything from auditing existing data to collecting and using data going forward. The customer experience needs to be first and foremost in their minds.
Auditing is essential. Undertake a discovery exercise to find out where the data audit could save your business. Start by defining exactly what counts as personal data. Currently, that’s any data that can be used to identify a person, such as HR records, customer lists and contact details. The new regulations will also include genetic, mental, cultural, economic and social information as well. You need to understand exactly what information you hold, which could be anything from old emails to data lists or cookies. You also need to know where it’s held, whether you have permission to hold it and what processes are involved in the procurement and security. This also includes the personal data you collect, hold and process from business partners.
Don’t get greedy. If you don’t need data then get rid of it. Don’t hold anything you don’t use or is out of date. Saving data for a rainy day doesn’t help anyone, least of all your business, so, if you don’t have a specific purpose for it it’s time for a clear out.
And don’t assume you have a right to the data you need. There are guidelines appearing for what is and isn’t possible in a post-GDPR world. Make sure you understand the nuances of the regulation, such as being able to provide justification and permission for customer records where that is required. The right to be forgotten enables an individual to request the deletion or removal of personal data when a business holds no compelling reason to hold it.
It’s easy to see GDPR as an insurmountable problem. A better way of looking at it is to see it as a chance to do better by your customers and make your business more secure, resilient and agile than ever before.
Everyone is upping their game and adjusting to new rules, whether they’re a florist in Bristol or a data marketing agency in Washington DC; if you’re handling personal data collected within the EU then you need to get compliant: GDPR will have ramifications how this data is collected, stored and used globally.
Crucially this will impact the way businesses do digital marketing. By being more transparent with customers and acknowledging that the power balance has shifted, you’ll be able to become a business that customers want to engage with. It’s going to be a time of getting to know your customers better by gaining their trust and consent.
In summary, GDPR is coming. It’s time to do the best by your business and your customers and step up to the task of being compliant. You’ll be in a better position to meet the opportunities and challenges it brings.