That feeling when startups realise they REALLY need to get ready for GDPR

7 Aug, 2017

Pete Moore loves data and set up Manchester-based Look At Your Data to, well, look at more data. He believes data to be a strategic asset and, when he’s not advising on GDPR, he’s enabling organisations to realise their huge data potential.

Small businesses need to care about GDPR. There, I’ve said it.

GDPR is an EU regulation and the letters stand for General Data Protection Regulation – Every. Word. Matters.

General: It applies to everyone, including you. This is because, although the regulation comes from the EU, it is extra-territorial (this last bit means Brexit doesn’t matter).

Data: It impacts on all your data and data strategy, not just email, not just CRM. All of it.

Protection: It protects EU citizens (that’s how it gets to be extra-territorial), from entrepreneurs in Shoreditch to nuns in Rome.

Regulation: It is a legal act of the European Union and becomes enforceable in law on 25 May 2018. Fines for breaching GDPR can be up to up to four percent of total global annual turnover, or €20 million – whichever is greater.

Coming to terms with GDPR

If (any of) this is news is new to you, and if you are like most companies I advise, you will be feeling one, if not all, of the following right now:

Denial: “We’re too small…” “We’ve always done it this way…” “But that is so much change…” “They’ll never go after us…” “But we’ll go bust!”

Anger: “No way are we changing our whole business model…” “They do that, there’ll be people marching in the streets!”

Bargaining: “Well we’re Brexit-ing anyway…” “What if we just don’t email anyone…” “I know what we’ll do, we’ll mass mail everyone to get them to opt-in…” “We’ll be below the radar, us… “Can we outsource it?”

Depression: “Damn! We actually need to do this…” “There is absolutely zero profit in this… “There’s a year of my life: right there… “This’ll cost…” “Will you come and see me in prison?”

The eagle-eyed amongst you will have noticed that these are the Kübler-Ross stages of grief. Grief, as in the standard reaction to death. Why the melodrama? Simply because all of the above are actual quotes – and, yes, that does include the ‘people marching in the streets’ one. A better question might be: why does GDPR evoke such uproar?

I can answer this with varying degrees of complexity but the easiest answer is this: you can’t get out of it.

No getting out of it

Small businesses were able to fly ‘below the radar’ of the old Data Protection Act but that’s gone. Why? Because they need to report data breaches to the ICO. Brexit doesn’t matter. Why? The law is extra-territorial. Your existing contacts might be about to disappear. Why? Because opt-ins need to be explicit (this actually gets quite complicated and is somewhat beyond the scope of this piece). Please understand my goal here is not to scare you, simply to put GDPR on your radar.

Finally, the really eagle-eyed amongst you may have noticed that I omitted the final stage: acceptance. Why? Because I think it comes up short. To me ‘acceptance’ means break-even, but the opportunity with GDPR is greater than this. By marrying a GDPR assessment to a strategic look at your data, you can achieve both efficiency and profit. That is the true message of this article: everyone will have to do this, and it is those that move fastest in the smartest direction who stand to gain from it.

What can you do right now?

First, assess your compliance position; take the ICO’s self-assessment toolkit. Consider registering as a data controller with the ICO. Next, familiarise and assimilate the key terms: DPIA, DPO and Privacy by Design. These mean, respectively, you have assessed the impact of data protection on the organisation, someone is taking responsibility for it (NB the role of DPO is very much a senior appointment), and new development in future will protect individuals’ data rights as a default.

Finally, don’t just plug the holes, strategise. In all likelihood, getting GDPR-ready will require organisational change. Don’t just grab the yoke and tug; reverse, take a fresh look and repoint. Attack the problem with force. Yes, move fast, but pick a direction, too. That is, with, velocity not just speed. Spend money, if you need to; employ a change agent, if necessary.

Everyone needs to do this and many will get it wrong, get it right and you will outrun your competitors.

Leave a comment

Please Post Your Comments & Reviews

Your email address will not be published. Required fields are marked *

  1. It’s worth bearing in mind that although the maximum fine is technically 4% of turnover or €20 million, the Information Commissioner’s Office has announced that the fines will be a last resort, and that reports of big fines are ‘fake news’. Indeed, fines issued against small businesses under the current regime have been the lowest that the ICO has issued. This is not to say that any business should ignore GDPR’s implications, but nobody will be put out of business solely because of a massive fine from the ICO.