When it comes to the EU’s General Data Protection Regulation (GDPR), too many of the UK’s small and medium-sized enterprises (SMEs) have their heads in the sand. Whether through ignorance of the legislation, the idea that Brexit means it will no longer apply (it will), lack of resources, or fear and confusion over what they need to do to prepare, most SMEs are still in the dark about GDPR.
Much of the focus in the media has been on the multimillion-pound fines firms could face if they fail to protect customers’ data effectively, and many suppliers of products and services purporting to aid compliance efforts have been quick to play up the dangers in a bid to boost their own sales.
The problem with using a big stick to beat SMEs out of their complacency is that there has been proportionately much less talk about the tangible business benefits that becoming GDPR-compliant can bring. The real spur for adopting the principles of the regulation isn’t to avoid punishment, but the fact it can make your business more efficient, secure, responsive and customer-focused.
“Rather than a costly administrative hurdle, GDPR should be seen as an opportunity for small businesses to get their houses in order and create operational efficiencies,” says Jonathan Wood of security company C2 Cyber.
For example, the regulation requires businesses to know precisely what information they hold on people, but once you’ve done the necessary data audit and clean-up, you’ll see other benefits.
“We work with a number of online retailers and one company had a CRM [customer relationship management] database of 30 million customers, five million of whom turned out to be deceased. Having cleaned up its database and introduced processes to keep it up-to-date, not only can the company now ensure it is GDPR compliant, it’s also saving a small fortune in direct marketing costs such as printing, design and communications,” says Wood.
Gareth Lindahl-Wise, director of cyber risk at ITC Secure Networking, says the private equity, legal, insurance and financial firms it primarily works with are also seeing highly significant reductions in the amount of data they need to manage after readying themselves for GDPR.
“In our experience, most organisations can dispose of 30-50% of the data they hold by undergoing ROT analysis: redundant (remove duplicates), obsolete (remove aged records you don’t need to retain), trivial (music libraries and photos). Less data means lower IT costs and lower risks,” he says.
Targeted marketing is more effective
Another key requirement of GDPR is gaining specific opt-in consent from people to use their data in specific ways.
Sarah Williamson, partner and GDPR expert at specialist technology and innovation law firm Boyes Turner, says SMEs have an opportunity to be more focused with their marketing.
“All organisations have huge marketing databases at the moment, and no one really knows exactly what they do with that data and why. You might get little value from marketing to thousands of people, but if you can target individuals that genuinely want to hear from you, you’ll probably gain a lot more business,” she says.
Adam Rubach, UK managing director of mobile data platform provider Ogury, agrees. “As onerous as preparation for GDPR may appear on a surface level, correct application of the core principles early should be a net benefit for SMEs. Data collected ethically and with the explicit consent of users, combined with sophisticated targeting, will make adverts more and more like personalised recommendations and less like annoyances to be suffered. Start applying GDPR rules now and expect to see a step-change in the quality of click-throughs from online ads, for example,” says Rubach.
Jane Dixon, senior director for GDPR compliance and consulting services at contextual marketing specialist SmartFocus, says similar. “If GDPR is approached as an opportunity rather than an obstacle for the business, SMEs can become more customer-centric by gaining better insight into customer preferences and trends through exploiting data within the parameters of the regulation,” she says. “Think about how to communicate with key audiences going forward – the channels you use, segmentation, targeting and personalisation of communication.”
But this isn’t just about the fact you can better target your marketing content – working within the explicit consent framework of GDPR can also allow you to build closer, more trusting relationships with customers. As Rubach notes: “SMEs which are able to clearly and simply explain how data will be put to use will establish greater loyalty between their brand and their customer base.”
Staying safe for less
Another knock-on benefit of GDPR preparation is the improvements and savings it brings to IT security management. “The legislation forces all businesses to identify their security strategy, solutions and safeguards, and that can only benefit a business,” says Adam Nash, EMEA sales manager at cloud security specialist Webroot. “With cyber attacks becoming increasingly financially motivated, by reinforcing your security strategy and solutions you will inevitably reduce the likelihood of having to pay what some organisations think of as a ‘cyber tax’ as a result of rising attack numbers. You’ll also reduce the downtime caused by virus outbreaks.”
Frank Krieger, director of compliance at secure cloud provider Iland, claims the security benefits are even more profound – and as an SME itself, Iland has seen those benefits first-hand. “GDPR has been the catalyst that helped propel compliance from a back-office function with oversight into specific domains into a pivotal role that ensures privacy and risk are addressed throughout the organisation. The side-effect has been more verifiable trust with our customers and more transparency in our operations,” he says.
Perhaps, ultimately, it is this potential to drive fundamental cultural change that makes GDPR such a powerful catalyst for wider business benefits. “GDPR will force a culture change and those that embrace it to its full extent will prosper the most,” says Richard Shreeve, consultancy director at Civica Digital, a software and digital services firm which provides support and GDPR consultancy to both the public and private sector. “Aside from trust and transparency, changing the way an organisation views and manages data can help improve decision-making, customer reach and customer satisfaction. Getting your data in order will lay the foundations for better insight, driving better services around what people want and need, as well as helping to reduce waste.”
And while he says there’s no denying the road to complying with the General Data Protection Regulation is hard, he thinks it’s time to look forward to the benefits the legislation will bring, because it’s these benefits that will give SMEs the crucial competitive differentiation they’ll need to succeed.
Case study: Becrypt discovered unexpected benefits in preparing for GDPR
Only a small minority of UK SMEs have completed their EU General Data Protection Regulation (GDPR) preparation, but of those that have, many tend to be in the technology sector where there’s been more awareness of the looming deadline.
Becrypt, an SME data security specialist, found unexpected benefits from the process. Its CEO and co-founder, Bernard Parsons, says that when preparing for GDPR it’s impossible to think of compliance in terms of traditional box-ticking.
“We’ve applied frameworks like Cyber Essentials previously, which are good for getting basic security controls in place. But GDPR isn’t just looking at how you protect data, but at what data you’re holding in the first place and why, what the implications are if it’s lost, privacy, what happens when individuals start exercising their rights under the legislation and so on,” he says.
“That forced us to model our business processes more formally, which in turn allowed us to find efficiency savings, and simplify and improve how we were doing things in the business. It also prompted conversations about what we could do differently and more effectively, and where our principal risks were.”
Parsons adds that the process also gave rise to a much richer framework of decision-making in the business, both in terms of storing and processing data, but also when it came to protecting data.
“Thinking about how to do it in a way that made most sense in terms of our business priorities and how we are attempting to deliver value was an extremely valuable exercise, and while it was certainly broader than GDPR, there’s no doubt GDPR was the catalyst,” he concludes.