Recent research carried out by the Federation of Small Businesses reveals that as many as 90% of small businesses may not be prepared for the new General Data Protection Regulation (GDPR) that comes into force across the EU on 25th May 2018. And 18% of SMBs are completely unaware of it.
Though these figures are quite startling, they’re not really surprising. Having been charged with developing a strategy that ensures Knapton Wright is in line with GDPR when the time comes, I think the reason for this may be two-fold.
Very Little Publicity
Firstly, given that it was adopted almost 2 years ago, the lack of publicity surrounding the biggest change to data laws in 20 years is quite astonishing. In recent weeks, I have noticed a little more hype around the subject, but then the deadline is looming.
With many changes to laws and procedures governing how businesses and individuals work in the UK, gov.uk is there to alert and guide us, but with GDPR, there seems to have been a distinct lack of notice and advice.
It may not be riveting dinner party talk, but the subject has rarely even come up amongst friends who run or work in small businesses.
Too Much Conflicting, Confusing and Unreliable Information
Secondly, having said there seems to be little fanfare surrounding the introduction of GDPR, there is a huge amount of information available across the internet on the subject, but which should we trust?
Should we trust articles written by IT consultants or law firms, or are they simply trying to scare us into spending our money with them in return for an assurance that, if we do, we’ll be compliant?
If we opt to go it alone, which areas should we prioritise? How will this affect employees? How likely is it we will be fined? Should we employ a data controller? Question after question.
I have been trying to tackle the tangle that the whole topic has become in my head since October 2017, and in those 7 months, nothing really became any clearer (in fact, I got more anxious the more I read). There seemed to be so much to do, with shockingly large penalties if something gets missed.
The only resource I have found to be useful is the ICO, which provides various ways to prepare for the GDPR. I know I can trust it (as it is an independent authority working for the public interest), and that it won’t try to charge us for advice and information.
And then last week, I attended a great free GDPR information event at the local college, and all of a sudden, I feel quite calm about it all.
We’re all in the same boat (well, probably about 95% of us)
Everyone who attended the event was there because they were in some way struggling to get to grips with the new GDPR and its implications.
They were all intelligent people, running or working for successful businesses, simply trying to understand a subject they hadn’t had to give a great deal of thought to in the past.
We can’t all afford to hire specialist GDPR consultants, but we can protect our clients’ data by ensuring we always make our best efforts to follow the guidelines set out by GDPR, as we have done for the Data Protection Act.
The discussions I had with the course leader and other small businesses at the event helped me to clarify the steps we need to take with regard to our own customers to achieve this.
And all our efforts to comply with the regulation will be taken into account
Our attendance at the event is testament to the fact that we take the new regulation seriously, and the result is that we are now armed with more information than we had before about how to handle client and employee data even more sensitively and effectively.
Paperwork and certificates from the course would prove this should we ever be challenged by the ICO in the future and will help to reassure our clients that we take their privacy very seriously.
No business will ever be 100% compliant
As the new GDPR beds in, data protection cases will continue to come up in courts of law, which will test how robust it is, and in all likelihood, amendments will have to be made.
Therefore, even if you think you’re 100% compliant on 25th May, you probably won’t be a couple of months down the line (but you won’t be too far off either).
A lot of GDPR advice is common sense
Much of the action required in order to try and meet the new GDPR is already part of the routine of our business.
We change our device passwords regularly, keep our anti-virus software up to date, lock away USBs, do not allow personal mobile phones to be charged on company laptops and so on.
I am simply documenting these rules and they will become part of our business GDPR policy.
Ensuring our clients’ data continues to be well protected, and our efforts meet the requirements of GDPR is paramount, but I’m determined to remain calm in the face of GDPR.
“It always seems impossible until it’s done.”
Knapton Wright Ltd.