Is your organisation ready for the upcoming regulation?

A recent survey revealed that 39% of SMEs are still unprepared for the General Data Protection Regulation (GDPR), so what should they be thinking about in the final six months? 

The GDPR has been discussed with increasing urgency for over 18 months, across both mainstream and specialist media outlets. It’s the biggest change to European data security in two decades. Every UK business will need to adhere to its requirements. Although it is an EU regulation, its impact will also be felt much further afield. Despite this, recent research has shown that two out of every five firms, equivalent to 2.1m small businesses in the UK, have not started to plan for the GDPR deadline of May 25, 2018. But with six months to go, it’s not too late to get yourself up to speed and start making the right preparations for your company. Here’s how. 

Consent and legitimate interests


The first thing to do is consider whether your company needs to collect opt-in consent when marketing - or can they explore alternative methods? Under the GDPR, processing based on consent creates the potential obligation of the right to erasure. This may be something that some businesses may struggle to handle effectively if they don’t have the resource. Results from the survey showed that most business owners (69%) plan to contact customers directly for consent to retain and process their data. These organisations plan to use a combination of methods which include: doing it via email (70%), by phone (43%) and letter (38%). Worryingly, nearly two thirds (61%) plan to use ‘legitimate interests’ as a form of consent.   

Legitimate interests can be used as an alternative to consent but only in specific cases. The GDPR states: “the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest”. In these instances, organisations would need to conduct a balancing test to consider the expectations of the individual. It could also be cited if the organisation can evidence there is a relevant and appropriate relationship to warrant marketing, e.g. the individual is a client. Alternatively, it could work if there is evidence that the individual has a reasonable expectation that their data will be processed. However, if SMEs are in any doubt, there are more robust conditions for processing to use. 

Soft opt-in   

Legitimate interests should lead organisations to consider their use of the ‘soft opt-in’. Like legitimate interests, this is a form of processing that isn’t based on consent. SME’s must remember that it’s only OK to use this if they’ve made sales to, or had negotiations with, consumers or people at the business they’re contacting. Its purpose is for email correspondence – otherwise it should only be used via the same channels as the original point of sale or negotiation. As a rule, ‘soft opt-in’ is fine if the organisation gives the individual the opportunity to opt-out at each stage of communication. 

Data mapping and cleansing 

As part of the General Data Protection Regulation, organisations will need to map their data and information flow. Small businesses should look at the different data types data they hold, e.g. name, email, address, etc. and determine what category it falls into (different sectors and locations etc.). They also need to map the data via format, transfer method, location, accountability and access. It can be a challenging task, but by doing this they can truly assess the potential privacy risks. Mapping is also the first step in completing a Privacy Impact Assessment (PIA) (mandatory for some types of processing). 

Results from the survey revealed that 30% of the SMEs had paid a consultant to conduct a PIA, whilst 15% had done so themselves using an ICO template. 27% of those survey said they hadn’t completed a PIA yet but planned to, while the remaining 18% didn’t know what it was.   

It’s good practice for small businesses to review whether the data they currently hold is excessive. The organisation should ask themselves if the records they have on file are becoming outdated? If so, they could consider removing unneeded information and having a cleanse. It will be much easier to stay GDPR compliant with a light but accurate database.   

Write or review procedures 

Of the SMEs surveyed, nearly three quarters (73%) do not have detailed documentation to evidence their GDPR compliance. Worse still, over two thirds (64%) of businesses have no plan in place for customer data breaches. This is alarming considering the frequency of (reported) breaches in the news of late. These data breaches highlight the importance of having an effective communication strategy so those affected can update their records. Not only will there be significant fines for data breaches under GDPR, but also for not having a documented process to prepare for one. In addition, there is still time to employ a Data Protection Officer (DPO) who can help document these processes for you.   

Many have taken this approach already. According to the survey results, over a quarter (27%) of SMEs said they had hired new staff to help prepare for GDPR. This equals a spending, on average, of £13,300 on salaries so far. Consequently, over half (54%) now feel they have the right GDPR expertise in-house. Half of those questioned have also invested in expert guidance or consultancy, spending almost £8,000 each on fees to date. 

Although GDPR is an update on existing legislation, any existing policies should also be reviewed. These documents should cover areas like data transfer, staff training, data deletion, data protection, data security, data breaches and disaster recovery. Getting policies and internal processes right is an essential part in preparing for the GDPR and potential audits. For example, when dealing with personally identifiable information, we recommended putting a central asset register in place. This gives everyone in the business an understanding of how the data was received / is used, who has access to it and how long it should be kept for. Importantly, it would also include confirmation that data has been deleted.