GDPR still a mystery to SMEs: the risks of non-compliance

The General Data Protection Regulation (GDPR) came into force in May 2018. But despite enormous publicity surrounding the new amendment to the European data protection law, many business owners still lack knowledge about the consequences of not meeting its provisions and requirements.


Reading time: 02:55 minutes
GDPR still a mystery to SMEs: the risks of non-compliance

Image: © matejmo/

A recent investigation into SME owners’ engagement with the digital landscape showed that 39 percent don’t know who GDPR affects, while 1 in 10 respondents don’t think GDPR gives consumers any new rights. This lack of awareness is concerning as SMEs are putting themselves at serious risk by ignoring the new regulation.

Perhaps indicative of why SMEs have failed to engage with the information distributed about the new regulation, was the answer to the question: "What have you found most annoying online in 2018?" Alongside nuisance PPI phone calls and website pop-ups, constant communication about GDPR topped the list.

This suggests that the efforts made to spread understanding of the regulation and ensure business compliance have been ineffective – irritating, rather than enlightening their intended audience. The problem is, this is one area that businesses can’t simply put off until a later date – understanding the new regulation is not an optional extra.

How GDPR benefits consumers

GDPR is intended to give consumers two main benefits. The first (and perhaps most important) is that their data will be more secure overall. All companies that handle personal data must ensure they have adequate security measures in place to protect the customer data they hold. It doesn’t only apply to the way this data is stored; every aspect of the way customer data is handled is covered.

There is also a new 72-hour timeframe in which companies are required to notify customers of a data breach. This is to give customers adequate time to take action to secure their information, such as changing passwords.

The regulation will give consumers greater control over their data. Included in this is the right to have any personal data stored on them by a company "returned" in a format that can be easily passed on, even to a competitor of that company. In theory, this means consumers will be able to get better deals from a number of suppliers with greater ease.

How businesses should process their customers’ data

When you gather information from your customers (whether you are collecting, storing or deleting it) you are – in GDPR terms – processing it. So, if you’re accessing data, for whatever length of time, you need to be mindful of the rules surrounding this.

There are six lawful bases for processing personal data under the regulation. These are

  • Consent – you have clear consent to use the data in a specific way; think, gathering browsing data to personalize online adverts.
  • Contract – the data is necessary as determined by your contract. For example, processing credit card details when the consumer signs up for a trial period.
  • Legal obligation – you need to process the data to comply with the law – this could be to deliver to a regulatory body or as part of a criminal investigation.
  • Vital interests – processing needs to be done to protect someone’s life.
  • Public task – data processing needs to be done for you to complete a task in the public interest, and this has a clear basis in law.
  • Legitimate interests – processing is necessary for legitimate interests, such as fraud protection, unless there is good reason to protect the data

Much of the focus so far has been on affirmative consent from data subjects in order to reduce unsolicited marketing – one of the most noticeable effects being the "cookie consent" pop-up on every new web page visited.

Many SMEs still not fully compliant

Despite the publicity surrounding GDPR, especially in the months before it came into force, our survey showed many SMEs were unprepared for – or misunderstood – the changes. Hiscox Lead Cyber Underwriter Stephen Ridley believes there are some businesses who seemed to have done the absolute minimum, such as update their website’s privacy notice, and are still a long way from fully complying. The main confusion appears to be around understanding the nature and volume of the data they process.