With little over a month to go until the so-called General Data Protection Regulation (GDPR) deadline (yes, it is still May 25, 2018 but compliance is an ongoing thing) we look one last time at the state of preparedness for the GDPR before that GDPR deadline and before taking the last steps in the road towards GDPR compliance ourselves. The focus: GDPR in SMBs.
As a tiny business we have been serious about the GDPR and, if all is well, we’ll share all the steps we took and things we did (from checking WordPress plug-ins and to which extent they are compliant or not to revisiting our entire marketing stack and far beyond, all the way up to website hosting, data subject rights exercise enablement, a granular GDPR consent approach and so on).
Hopefully we’ll have the time to share it and shorten your own path to compliance, whether you’re a tiny, medium-sized or even larger organization and, regardless of where you are (or where personal data processing occurs to be more precise). By the way: there is still that myth that SMBs do not fall under the GDPR and that it only applies to organizations which are processing personal data of data subjects in the EU, just as there are still myths on many other levels.
We for instance, keep hearing people who say that under the GDPR consent is the only legal basis for the lawful processing of personal data. We still see people combining several data processing purposes within one request for consent (instead of having a granular approach), we keep hearing myths about those data subject rights, the GDPR data processing principles, the need for and role/place/profile of the data protection officer and far more.
And in our capacity as a data controller, we still have to push a couple of data processors we need to work with to give us those documents on their own policies and readiness since, in case of a personal data breach we are responsible. They too are SMBs.
The GDPR deadline and fines – get over it: the steps that matter
As said, it’s in the context of GDPR in SMBs that this last look at the state of GDPR readiness, let alone awareness, before the GDPR deadline fits.
As could be expected – and as we see each day – companies are “prepared” or even aware in very different degrees. This is also the case regarding the implementation of measures to get ready for GDPR in SMBs. But they are certainly not alone.
Would it help to keep reminding SMBs about the GDPR deadline and those high – potential – GDPR fines? In all honesty, we’re a bit fed up with seeing that and the limited imagination of marketers trying to sell their solutions under the umbrella of urgency and fear – or what else is communicating over and over again with an emphasis on those administrative fines and the GDPR deadline? On the other hand, it’s true that this is what many people still seek to know most if we can believe the data. It seems a bit like the chicken or the egg causality dilemma. What came first: the fears regarding those high fines or the fact that companies keep hammering on it? Perhaps it’s both.
Maybe a better approach is to try helping people for a change as, fortunately, many try to do. Share your own experiences. Focus on GDPR benefits. Be creative. From now on, each time a company communicates with the high fines as the key message in the subject line or in the first two lines we’ll add it to a list of ‘bad GDPR marketing by using fear’. Or not. Because that would be a long list. So let’s stick to some reminders and, as from now, advice ourselves to begin with.
What matters now is that you take steps. The right steps and as many steps as you can to demonstrate you did what you could and to simply get it over with faster. It’s there, it applies to all of us and it’s time to apply the lessons you possibly learned or those others have learned.
The varying degrees of awareness and preparation of SMBs for GDPR
Yet, you want data about the GDPR in SMBs as promised. IDC has them for you. Unfortunately they only communicate about the level of preparedness of SMBs in a few countries.
First, it must be said that, overall, US companies and companies from outside the EU have been preparing pretty well, at least when we look at other research and talk with DPOs and privacy professionals in the EU. Notable exceptions are, among others, the UK (indeed), The Netherlands and some others. Yet, no one can beat the Germans for several reasons (such as already having pretty stringent rules).
According to data which IDC released on April 3, 2018, the levels of GDPR awareness, planning, and preparation in SMBs are varying. The findings are based upon a January 2018 survey of over 2,000 business owners, LOB leaders and IT leaders “aware of or managing IT spending in seven countries”: Brazil, China, Germany, India, Japan, the UK, and the US. So, not really data from a month before the GDPR deadline but announced about a month before that deadline, coming with an IDC report and presentation, entitled “2018 Worldwide SMB Preparation/Plans for GDPR“.
In the abstract of the presentation which you can buy (or watch if you’re a client with the right access), we read that IDC splits up SMBs as follows (it matters as definitions do vary depending on region): small businesses with 10-99 employees and midsize firms with 100-999 employees.
Obviously a company with 105 employees might have very different GDPR challenges than one with 906. It’s certainly not just a matter of size. A company with 974 employees, to take another number, can have far less data processing activities than one with 36 employees, which, among others, matters on a level of the need for a data protection officer, depending on activities things like profiling, the potential sensitive nature of processed personal data, the list goes on.
By way of an example: according to Crunchbase a data mining, analysis, and brokerage company, called Cambridge Analytica (it’s been in the news lately) has between 101 and 205 employees. We bet they process far more data and do far more profiling than, for example, a small chain of good old brick and mortar shops with 999 employees. That would also be the case if Cambridge Analytica had 19 employees.
SMBs might want to speed up their GDPR efforts – a few takeaways and reminders
The IDC GDPR SMB report/presentation splits up the SMBs which participated in six categories: 1) aware/have taken steps, 2) aware/need to take steps, 3) aware/no action/none planned, 4) unsure of implications/need to comply, 5) not aware/will need to take action and 6) not aware/no action/future action unlikely. Important to know when interpreting what is said in the press release regarding the report and some of its key findings.
According to that announcement the survey found that less than half of European SMBs have taken steps to prepare for the GDPR. So, all the others are in one of the five other categories, from being aware and needing to take steps to totally unaware and/or not intending to do anything whatsoever. Among non-European SMBs, IDC states, the share of prepared firms is significantly lower. Obviously, it would be interesting to see if the same levels of awareness and preparedness exist as on the level of large organizations where, again, US companies for example, have been doing pretty well. But those data are in the report.
IDC further reminds us of the GDPR deadline of May 25, 2018 and of the fact that the personal data must be governed and protected, regardless of the geographic location of the company holding this information.
Holding data is one form of processing and it’s the processing of the personal data that matters (by the way, another myth: it’s not just about ‘traditional data’ but also about a broad range of identifiers, enabling identification as in PII or Personally identifiable information), yet processing is interpreted very broadly in the GDPR and includes indeed simply holding the information. Personal data and PII is also very broadly defined and unfortunately that is still seriously underestimated.
Processing personal data also means storing it (even if it’s just sitting somewhere in a database with little or no activity), using it to send email newsletters, transferring it and so forth.
Do note there are very stringent data subject rights in the scope of having to delete personal data (data subjects have a right to be forgotten), transfer personal data from one company to another (the right to data portability) and far more.
And for international transfers of personal data still other rules apply (more on that below). Moreover, data subjects have a right to know what personal data you have about them, how you got them and for what purposes you use them (and even what you “said” when people agreed to consent to sharing them, e.g. in your loyalty program sign-up form). They can also ask you to stop processing it or restrict processing and you can’t hold data for other purposes or longer than needed, to mention just a few of these personal data processing principles that you really need to know. Why? Because in practice you’ll need to be able to respond to all this and that is easier said than done as we’ll explain when sharing our own GDPR journey.
IDC also reminds the high fines of up to 20 million Euro ($28 million USD) or 4% of annual revenue for non-compliance but as Raymond Boggs, program vice president, Small and Medium Business Research at IDC, says “GDPR compliance is important, not just to avoid fines, but to insure that vital customer information is secure and protected”. We love hearing it. Do note that there are two ‘categories’ of maximum fines by the way (conditions are explained in the GDPR Articles and in our previously mentioned text on GDPR fines) and that, in the past, such big fines have been rarely applied – but the past is indeed the past.
Understanding the essence and spirit of the GDPR – it does matter
We want to add that the GDPR is also not just about security and data protection in the technology sense but needs to be tackled from the perspective of risk for the data subject (and, yes, also by definition your company) and most of all puts control and ownership of personal data in the hands of data subjects, a.k.a. people, obviously with limits and exceptions as it’s about business too and there are other rights.
That, at all time, needs to be your guiding thought: privacy is not an old-fashioned idea and dying concept to paraphrase what Facebook boss Marck Zuckerberg said many years ago.
Although in practice it might be dying and continue to, the GDPR’s aim is to radically change that, protect privacy and force organizations who think they own personal data and can use them at will to stop thinking that. In business terms: data is the new (well, already quite old by now) oil, personal data is a goldmine for many businesses and a real business asset. But you’ll have to distinguish between ‘just data’ as an asset and personal data as to some extent the currency of people, data subjects, consumers, Facebook users, etc. and you’ll have to do more to use them, SMB or not.
This doesn’t mean that the GDPR is really only about and for the people. In the end it’s about business as well, just as much as in other countries. On top of wanting to protect personal data and citizens the EU wants to boost its digital economy and single market. And, as the EU likes to see that, this comes with a lot of regulation and interventions. There are also EU rules coming on entirely other matters such as blockchain technology, artificial intelligence, anything really that fits in the scope of that digital economy and market, digital transformation, the industrial transformation of Industry 4.0 as Europeans call it and similar evolutions.
One could say that some regions have really differing views on personal data: some see it more as “hands off, let businesses take care of it themselves as they want” while others (the EU) have a stance whereby they want to protect citizens against everything and at the same time boost business. In our view none of both is ideal. Because, in the end, citizens really end up deciding little anyway. Politicians decide and economic priorities decide.
Truth to be told, however: until someone sees a really balanced way whereby people can perhaps really chose (within specific limits) the rights of data subjects are far higher under the GDPR of the champions of regulations and deciding what is best for people, the EU. Agree or disagree, like it or not: the GDPR is a fact, the GDPR deadline is almost there and you need to be as complaint as possible.
SMBs and GDPR: struggling to meet the GDPR deadline, high levels of unpreparedness and sometimes simply not caring at all
Back to the IDC GDPR SMB readiness/awareness results. In the press release, senior research analyst Carla La Croce says that “when looking at GDPR in Western Europe, adoption is moving ahead as expected”.
Larger organizations move faster than smaller ones and, when looking at a country level, Nordic countries implement GDPR faster than other Western European countries. We’re not sure if there are Nordic countries in the report and guess it comes from other research or findings as Denmark, Finland, Iceland, Norway or Sweden are not in the list of the seven countries.
Carla La Croce further states that GDPR compliance and implementation has been identified as a top security priority. However, Western European companies are struggling to meet the GDPR deadline, and this is more so for SMBs. On top of that, and as mentioned earlier, she reminds that there are also misunderstandings and misconception issues standing in the way of being compliant by the time of that famous GDPR deadline.
Here we should emphasize that since several years ample research found that many organizations claimed they had GDPR compliance high on the agenda but that, when digging deeper and looking at the facts and the essential things to do, there was a significant gap between what was said at a decision-maker level (including IT leaders) and the reality whereby an end-to-end approach with a clear GDPR strategy, let alone plan that also focused on GDPR staff awareness and training, internal policies and so forth. It’s the GDPR compliance perception gap.
SMBs and GDPR awareness
A pretty significant amount of European small business (so, 10-99 employees) are not aware of the GDPR according to IDC. As such that didn’t surprise us but the fact that this is the case for over 20% of small businesses in the UK and Germany triggers our curiosity.
In a previous article (from earlier in 2018) with some findings on GDPR and privacy law awareness we mentioned that about 24% of business in the ‘London Chamber of Commerce and Industry’ wasn’t aware of GDPR. As is the case with most chambers of commerce, the London Chamber of Commerce and Industry obviously also includes small businesses and very tiny companies like us.
So that seems pretty similar to IDC’s findings. But we’d love to see those stats for the Germans because, as said, they have been ahead on all possible GDPR readiness levels so far, including technological levels such as the usage of encryption and pseudonymization, cloud data security and protection and far more.
Yet, then again, small businesses in general is a different story. IDC: “Midsize businesses (so, 100-999 employees) show much greater awareness, 80-90%, across geographies”. When it boils down to small businesses outside of Europe, about half are unaware.
SMBs and GDPR compliance action intentions
Close to 44% of European small businesses and 41% of midsize businesses say they will need to take compliance action IDC further says, and this independent of GDPR awareness.
We further read that for non-European SMBs, the percentages are 38% for small businesses and 55% for midsize businesses (saying they will need to take compliance action). Quite amazingly a third of European SMBs have no plans to comply. We don’t assume that data protection authorities will want to set examples with small companies but rather prioritize and focus on some clear larger cases with flagrant non-compliance. But to think that SMBs will not be affected is to err.
As said, data subjects have many rights and they can lodge a complaint if they are not happy with the way a small or medium- sized business uses their data. Like that company we know that keeps sending newsletters and calling us even if we unsubscribed from the newsletters at least 50 times over the past ten years and asked to put us on a ‘do not call’ list. They listen, yet time and time again they keep adding us when again importing some list they have or had as they couldn’t care less as we happen to know. You can imagine these and other scenarios whereby some really fed-up people will not hesitate to complain anymore and whereby the data protection authority needs to intervene. Oh, and more than one half of non-European SMBs have no plans to comply either (whereby we suppose they process personal data of EU folks as the first category obviously does, keeping in mind the broad definitions of personal data, identifiers and processing).
The GDPR steps to take by SMBs ahead of the GDPR deadline
A last finding IDC mentions concerns the steps taken by European SMB in GDPR compliance preparations. According to the research firm, only 29% of European small businesses and 41% of midsize businesses have taken steps to prepare for GDPR, which of course is still far away from being compliant.
Looking at the steps we took and the many steps to take the next weeks we hold our breath. Maybe sharing that journey towards compliance might be a good idea indeed.
Among non-European SMBs, the share of prepared firms drops to a pretty staggeringly low 9% among small businesses and 20% of midsize businesses. Again, we suppose that these are SMBs that process personal data of EU folks one way or another. So, if the need is there, as the survey seems to show maybe we’ll need to write about the GDPR for non-European SMBs processing personal data of EU citizens.
GDPR SMB advice: some reminders, takeaways and a promise for non-European SMBs
By way of a first step in that regard take a quick look at the somewhat adapted graphic below from the people of the Irish GDPR Awareness Coalition (they have plenty of such graphics and we used some across the many posts we wrote on the GDPR, which can serve as advice too of course).
This particular graphic contains some basic elements of what you need to know as a company outside of Europe concerning the international transfers of personal data.
Forget the binding corporate rules, that’s for big companies, multinationals really. You will probably not take the route of approved codes of conduct and/or certifications (which for midsize businesses certainly would be a good way to demonstrate efforts that they really took many steps, which in the end is still the crux of the matter, do read our text on codes of conduct with an infographic to make it easier).
If you’re a US company you have the EU-US Privacy Shield. And in all other cases it’s either explicit consent (so, consent, that on top needs to be explicit), the existence of an adequacy decision for the country you transfer the personal data to (meaning that the EU has found that the country will provide ‘adequate’ personal data protection) but there aren’t that many with such an adequacy decision yet (last time we checked Andorra, Argentina, Canada where it concerns commercial organizations, the Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland and Uruguay; Japan and South Korea are coming) and, finally standard contractual clauses.
Do also note that all these rules apply to the so-called European Economic Area: the EU plus Iceland, Liechtenstein and Norway. Moreover, they are only about personal data transfers. For example: you’re a hosting company or an email service provider with its servers in Australia, also doing hosting for or sending mails of companies in that European Economic Area (inevitably meaning that personal data is transferred). Or you simply have a company whereby now and then customers send you files with personal data for whatever purpose.
Being GDPR compliant is about far more than personal data transfers. You also need to have your website, forms and so forth ready in time for that famous GDPR deadline. And you need to be able to respond to questions and right requests from EU consumers which they of course can – and will – exercise. The list goes on.
Maybe a small GDPR guide or series for SMBs outside of Europe would indeed be a good idea. And, looking at those findings from IDC, it seems that European SMBs could use some additional information as well but, then again, they are – and should be – more prepared.
Time to meet that GDPR deadline. Of course, it all starts with awareness, creating staff awareness and a bit of training and making an inventory of what personal data you process why and where before coming up with a plan and further steps in function of the gaps between what you do and are supposed to do. But that’s for later.
It just is important to start and carry on. Or as information management and GDPR expert Rick Gruijters of IRIS Group Professional Solutions said (and they work for SMBs, on top of large enterprises, too as in Europe there are quite some responding to that definition of medium-sized as IDC gives it) in an interview on strategy and privacy by design in practice: start with an awareness stage and then assess and plan. They remain important steps with GDPR awareness training being a strategic quick win – as it is about demonstrating what you did and plan to do – and then do it, SMB or not.
More about the IDC survey in the mentioned press release and in the report. By the way: do not make the mistake to think that GDPR is just a matter of solutions and technology.
Top image: Shutterstock – Copyright: Wright Studio – All other images are the property of their respective mentioned owners. Although the content of this article is thoroughly checked we are not liable for potential mistakes and advice you to seek assistance in preparing for GDPR.