How are SMEs preparing for GDPR?

As of this week, the deadline for General Data Protection Regulation (GDPR) compliance is less than four months away. Though we hear quite a bit about how large multinational companies are getting ready for the May deadline, we wondered how small and medium-sized enterprises (SMEs) were preparing.

I spoke to several SMEs, and they all had one thing in common: They are taking GDPR seriously. They shared with me some of the challenges SMEs have in terms of GDPR and how they are getting ready.

SMEs are a priority for the EC

Last week, the European Commission (EC) released extensive guidance to help European Union (EU) businesses get prepared, with specific attention paid to SMEs.

A press release announcing this guidance spoke directly to SMEs, highlighting specific allowances they are afforded within the GDPR framework, such as flexibility in hiring a data protection officer, in keeping processing activity records and in the reporting of breaches. It promoted the regulation’s new data portability rule as a boon to SMEs, saying it “will allow individuals to move their personal data from one service provider to another. Startups and smaller companies will be able to access data markets dominated by digital giants and attract more consumers with privacy-friendly solutions.”

The EC also reported that in addition to making nearly 1.7 million euros available to fund data protection authorities in Europe, it has earmarked an additional 2 million euros to help businesses come on board, with an emphasis on SMEs.

So it’s clear that the EU is interested in SME compliance, but what is really happening on the ground?

Turns out that size doesn’t matter — that much.

On a surface level, SMEs are preparing for GDPR much the same way larger companies are.

Sam Pfeifle, content director at the International Association of Privacy Professionals (IAPP), said that all prep should begin with a thorough understanding of the rules.

“In many ways, preparation for the GDPR should be very similar for all businesses, big and small,” Pfeifle said. “It starts, fundamentally, with an understanding of what personal information you collect, where it lives, how you are using it, what consent may be attached to it, and when you delete it. With which vendors (cloud services, maybe, like marketing automation software or a CRM like Salesforce) do you share information? How is that data-sharing managed and what contracts govern that agreement?”

But a business can’t get ready if it doesn’t even know it’s necessary. A September 2017 Hubspot survey of EU businesses of all sizes indicated that many are woefully unprepared. Only 36 percent had even heard of the regulation. And that was in Europe!

Natasha Morgan, vice president of marketing at data platform Umbel, recognizes the challenges but sees GDPR as an opportunity for businesses of any size.

“Many marketers still aren’t yet aware of GDPR, but once they are, they are worried about how the regulations will shrink their reachable audience and constrain engagement with potential and existing customers,” Morgan said. “GDPR means people will be reminded much more about their ‘right to be forgotten,’ or to opt out. Once the dust settles, though, most savvy marketers see GDPR as an opportunity to clean up their data, focus more on highly targeted and personalized engagement across all channels, and to focus a bit more on content and conversion.”

Knowledge is power

Once a business becomes aware of the regulation, the next step is to learn as much as it can.

Ruth Carter is a social media/internet lawyer and entrepreneur. She maintains a modest mailing list and has become obsessed with GDPR, producing videos, blog posts and other materials for her clients and followers.

“I have an email list, but since everyone adds themselves to it I have no idea where any of them are located, so I have to assume at least one of them is in the EU and so I’m required to comply with GDPR,” Carter said. “I read this law cover-to-cover — seriously, I printed it out and have it in a binder — so I can both make sure my company complies with this law and help other companies do the same. One of the things I need to add to my email list is double opt-in for when people add themselves and include all the required information that the GDPR requires we give data subjects when they consent to give personal information.”

Pfeifle says that it’s important to familiarize yourself with the actual law.

“It might sound silly, but the first order of business might actually be to have someone in your organization actually read the law! It may take some time for your organization to understand data protection impact assessments or the obligations for data breach notification. There is no quick fix and the sooner you start, the sooner you’ll feel confident about your compliance efforts,” Pfeifle said.

Partner with legal resources

Many of the companies I spoke to said that to fully understand the law, businesses should consult with legal experts.

“GDPR might seem like a looming giant to medium and small businesses, but it doesn’t have to be daunting,” Chris Cunningham, president of proximity and location data platform Unacast said. “Step one is understanding what it means to your business specifically, and step two is seeking out the right resources to help you prepare — as well as ultimately brief your company, partners and clients on your readiness. I think ‘resources’ is the keyword here; businesses don’t have to go this alone. Rather than make your best guess at how to prepare, you should find the right partners or professional services providers with industry-specific data privacy expertise to help.”

Shane Edmonds, chief technology officer at etouches, an event management platform, agrees that tapping into available resources is key.

“A lot of our prep for GDPR involves properly understanding the expectations for how companies should be handling consumer requests that fall under the regulations,” Edmonds said. “We are doing this by engaging with our legal counsel as well as our clients who are also investing in similar efforts. One of the trends we are seeing with our larger customers is the expansiveness of their GDPR preparation programs — which include external consultants and cross-functional stakeholder groups across their organizations.”

There may be a tool that can help

Leela Srinivasan, CMO of recruiting software tool Lever, said that another challenge SMEs face is a lack of access to sophisticated tools, particularly those that make GDPR compliance easier.

“Small businesses don’t always have tools and software in place for managing their operations,” Srinivasan said. “There’s a lot of ‘getting by in spreadsheets.’ This could be problematic under GDPR, which requires organizations to maintain full records of any data processing activities that involve EU residents. The regulation will make it much riskier to operate out of multiple different tools, whether spreadsheets, email or documents. And GDPR applies to marketing, recruiting or really any functional activity involving such data.”

“Consolidating tools can provide efficiency and give you peace of mind as you navigate the complexities of GDPR,” she said.

Umbel’s Morgan also recognizes these challenges.

“Smaller companies are often strapped for resources, whether that’s staff or capital to invest in preparation,” Morgan said. “Operationally, you need to understand how personal data flows through your organization, which can get very convoluted; you have to validate that opt-in procedures comply; you have to make sure that all of your vendors that process data comply. All of that costs money and time. Many larger US-based organizations also have a global presence, so they would already be compliant with existing privacy regulations — or closer to it — while this might be an entirely new exercise for smaller organizations, which makes it even more resource-intensive to meet the May deadline and to support compliance thereafter.

Ignoring it will not make it go away

Regardless of the challenges SMEs might have in getting their businesses up to speed, come May 25, they need to get there. I asked Morgan if any of her clients are choosing not to do anything at all.

“We haven’t seen that, though many of our clients are live events, so they’re either selling their goods or services to a localized region,” Morgan said. “You may see that behavior from companies who primarily sell outside of the EU, because the costs of changing their practices or even changing vendors may not be worth the revenue they take in from the EU — especially if it doesn’t represent a significant percentage of their total revenue. After all, if EU residents represent .5 percent of your global revenue, is that worth the cost of GDPR preparation or to risk 4 percent of that revenue for a single violation?”

Natasha Kvitka, digital marketing strategist at online retailer GiftBasketsOverseas, gave me a succinct list of action items for GDPR compliance.

“[Our] client base includes [a] significant amount of customers from the European Union countries, so we take the GDPR challenge rather seriously,” Kvitka said of the 100-employee business.

She explained:

In order to comply with new rules we are making sure that:

• All the customers are aware that all the data collected from them is a necessity for the order procession.

• The data will be stored securely for a limited amount of time.

• Users actively opt-in to receive further marketing communication upon purchase.

• Users and authorities have a point of contact via website to communicate about their data and its security, request data removal or extraction.

Kvitka also told me that the company plans to certify with Privacy Shield.

If you haven’t started preparing, start today

There’s no excuse. If you are a small or medium-sized business that has been putting off your GDPR preparation, today is the time to start. Take the first step by learning as much as you can, reach out to trusted partners and resources, and look at it as an opportunity to frame your business as one that cares about data privacy moving forward.