SME owners still in the dark about GDPR

The General Data Protection Regulation (GDPR) was brought into force in May 2018 to safeguard the rights of consumers online, it was widely publicised at the time but recent research reveals SME owners are still unaware of regulations

Although many SMEs were seen to implement the necessary changes to adhere to GDPR guidelines, nearly one year on, only 10% of SMEs are aware of the rights the regulation affords to consumers.

So how has this important piece of digital legislation been so widely acknowledged and yet failed to imprint a widespread understanding of what it entails?

Whether you’re a consumer or a small business owner, chances are you’ll remember the flood of digital communications surrounding GDPR. In the months before the regulation came into play thousands of companies sent out emails to consumers asking for permission to continue contacting them, while business owners also received well-meaning guides and countless advice pieces.

With so much information out there, it might seem hard to miss the fundamental meaning behind the new regulation. But the opposite appears to be true — an element of fatigue has set in.

GDPR is among the top 3 “most irritating things online” of 2018

When asked to select the year’s biggest digital irritations, SME owners ranked GDPR as one of the top online annoyances, alongside PPI phone calls and pop-up advertising. Overexposure also seems to have prompted disengagement, with over half of the same demographic saying that they understand GDPR less now than they did six months ago.

The problem is, whether it’s viewed as a nuisance or not, GDPR is now the law. Although the Information Commissioner’s Office (ICO) has been lenient so far towards companies that have been found in breach (waiving penalty fees if the company has taken proportionate action to remedy incidents), the excuses won’t fly for long.

Many companies still not fully compliant

GDPR offer consumers two main benefits: greater security and control over their data, and the legal right to be informed about potential data breaches within 72 hours of them occurring.

Part of what this means is that companies need to do more than just receive consent to store a consumer’s data. They need to have processes in place that will allow an individual to access their personal data from the company (and, if they so choose, erase it) within one month of requesting it.

96% of SME owners don’t know the maximum fine for a GDPR breach

Any company doing the bare minimum (for example, simply updating their privacy policy) could be penalised. For an SME this would likely be the lower tier fine — either up to £7.9m or 2% of their annual global turnover. Lower tier, but still potentially crippling.

SMEs that don’t fully understand GDPR are not only putting themselves at huge financial risk, they’re missing out on an opportunity. Compliance with GDPR doesn’t mean you’re less likely to suffer a data breach, but it does mean that if you do, you’ll be in the best position to deal with it promptly, safely and efficiently. It’s not just about avoiding penalties and fines, it’s about doing your best to protect your customers’ data.

For all enterprises, and small businesses, in particular, arming yourself with as much understanding of GDPR as possible is in your best interests. While it might be tempting to dismiss the new regulation as a lot of fuss for nothing, in an era where data is a more valuable asset than ever, business owners should be considering its safety a top priority.