How to handle GDPR at a new business

Your email inboxes have probably been filling up in recent weeks with notices from companies and organisations begging for your consent to everybody’s favourite new set of EU rules – the GDPR.

Unless you’ve been living under a rock, you are probably aware of the extra requirements these regulations make of any group that handles or processes its customers’ personal data, namely to implement rigorous measures to ensure data is protected and to re-obtain permission from users to store their information.

That being said, for many small business owners GDPR has barely registered on their radars – at least this is what a new survey conducted by Ipsos for Shred-it’s Security Tracker has found.

A survey of 1,000 small business owners in the UK found that a staggering 22 per cent of SMEs are entirely unaware of the requirements of the regulation. Though this drops to only 12 per cent for London SMEs, the figure soars to 30 per cent in the Midlands.

Such firms are also unlikely to have a data privacy policy (only 45 per cent of small businesses do, says Ipsos) and 35 per cent said they did not even have a policy in place for disposing of paper records.

Though for many of the smallest businesses, particularly those with few employees or who are not involved in storing customers’ personal data, this is not an issue, GDPR will affect everyone legally and could save your company’s reputation in the future.

So – as a small business owner (or soon-to-be owner), should you dedicate time and money ensuring your small business is GDPR compliant? If you’re looking to buy a business in advance, must it be ready for the regulation?

Perhaps not. According to Christian Mancier, a partner in the corporate and commercial law team at Gorvins Solicitors and something of a GDPR expert, it might not be worth the worry or the expense.

He says that smaller firms can largely keep their databases in tact, so long as consent for their customers was obtained in a robust way to start with. Determining how you process personal data, how you carry out marketing and seeing if you fall under the remit of the Privacy and Electronic Communications Regulations (PECR).

This contains a “useful provision”, says Mancier, that says businesses can email marketing to customers without their consent - so long as they have already enquired about the firm’s goods or services and they can opt-out at any time.

“For many small businesses, especially those dealing business to business where the amount of “personal data” held is relatively small, legitimate interests is possibly a far safer ground to rely on for processing data,” he explains.

"If you are relying on a ground other than consent then this negates the need to risk decimating your database by asking customers to opt-in, where response rates have been quoted at well under 50 per cent”.

Hiring consultants or conducting lengthy reviews of your organisation’s processes just might not be worth it in the end, says Mancier, with such resources far better spent on growing a company in other ways.

He adds: “We are constantly told that small businesses are the bedrock of the economic recovery. But many of them are unduly anxious about the ramifications of GDPR and some business out there are reportedly receiving some shockingly bad advice.

"So they are devoting time, money and resources they can scantly afford to making sure they are complying with the regulations, and in many cases end up going far beyond what GDPR requires to their detriment.”