By Patrick O’Kane, lawyer, data protection officer and author of the book GDPR: fix it fast

It has been said that more data is created every two days than was created from the dawn of civilisation until 2003.  We are awash with data. However, there is a new regulation coming into force on 25th May that changes the rules in relation to personal data.   The General Data Protection Regulation (‘GDPR’) has been described as the most important regulation for a generation. The maximum fine for breaching GDPR is 4% of annual turnover or €20 million for smaller companies. The new rules will apply in the UK regardless of Brexit.

Here are five compelling reasons why SMEs urgently need to align their processes with GDPR

Point #1 – GDPR means customer rights with teeth

First, the GDPR gives individuals new rights over their personal data. For example, the GDPR confirms the individual’s right to erasure – the right (in certain circumstances) to ask a company to delete all the data they hold on that individual. After May 25, a customer may be able to ask for the data that a business holds to be wiped from its systems.

Individuals will also have a right to move their personal data from one service provider to a new service provider. For example, they may be able to ask their old bank to move all of their records over to their new bank.  This is known as the right to data portability.

There could be fines and reputational damage coming for smaller businesses if they do not align their operations to the GDPR’s principles and rights.  

Point #2 – Suppliers are now under the microscope

The GDPR puts new responsibilities on data processors. If your company is processing data on behalf of another organisation and acting only on their instructions, for example as an outsourced payroll service or as a call centre provider helping a large corporate customer, then you are now in the frame under GDPR and you will have to make sure you are complying with GDPR.

Point #3 – Some companies must appoint a Data Protection Officer

All companies need to appoint a Data Protection Officer (DPO) if they are carrying out monitoring of people on a large scale (e.g. monitoring their online behaviour) or if their main activities consist of processing sensitive data (including health data). The DPO must keep your company on the right side of the law when processing data. If you don’t appoint a DPO, when you should, you could be breaching GDPR and could be liable for a fine.

Point #4 – Staff could be your weakest link

Your employees are your operation’s front line, but they could sometimes be your weakest link: some studies show that around one third of data breaches are down to staff error. There’s no substitute for training your employees on their basic responsibilities under GDPR. In addition, ensure that your company’s specialists, such as marketers, HR and board members, receive specific training relating to their roles about what they must do to comply with GDPR.

Point #5 – You must tell customers about what you are doing with their data

Under GDPR, consumers and customers have the right to be informed – in clear language – as to what you are doing with their personal data. Your online privacy policy should be written in plain language telling customers about where you get their data, what you do with it and who you share it with. If this is not done properly you could be breaching GDPR.

If you’re a SME then you need to get won the right side of GDPR fast. Otherwise your business could be in line for a major fine.