As a private individual, there are a lot of positives with the new regulations, but as a Managing Director of a small business, I should be appalled. Apparently. Well, at least according to the incessant parade of scare-mongering messages which arrive by email on a daily basis.
The reality is much more straightforward - yes, of course any new regulations carry some administrative overhead to ensure compliance, but in this case, for us at least, not so much.
We already fully comply with the existing Data Protection Act and are registered with the ICO. As a market research business we frequently manage customer lists or employee data for clients when inviting participants to a survey.
As corporate email address information is broadly not covered by GDPR (well explained by Electric Marketing in this blog post) most B2B businesses will not have too much work to do. Consumer facing businesses are more affected since they are more likely to have personal email addresses which are covered by the new regulations.
However, once you have:
- appointed a Data Protection Office, even if you’re a micro business, there should be someone responsible for this. (Our DPO is Laurent Cargill, Operations Director);
- made provision for right of access, right of amendment and right of removal in the event you are using personal data
(Our surveys now come with opt-out links, and information about how to request access to data held including survey responses, and how to request data is removed).
There may be other elements based on individual business circumstances, and although for us our list of actions turned out to minimal, every business should go through the ICO checklist.
But getting prepared is not that hard or scary, despite the many hundreds of emails you will also have probably received suggesting the “world is going to end”. You almost certainly don’t need to turn your business model upside down, request expensive legal advice or take out loans to pay for third party advice to help you get prepared. (Yes – someone is marketing loans to small businesses so they can “afford GDPR”)!
Start with the ICO checklist, take action now and don’t be put off by the concerns that it will take too much time and effort.
The penalties are serious, and GDPR should be taken seriously, but the incessant, strident tactics of fear are out of proportion. Even if a business is not fully compliant as of May 25th, making appropriate efforts to get compliant is likely to mitigate any fines. The biggest risk is doing nothing.
If you would like to discuss the work we’ve undertaken to adjust our Data Protection policies for GDPR compliance, please use the contact us page or reply to this email and we’ll be happy to chat it through.
We will shortly be sending out a survey to contacts on our mailing list, giving you options for receiving communications from us and highlighting what types of information are most of interest. Please take part as this is one of the steps we’re doing to be as fully compliant as possible, even going beyond GDPR where we can.