Rafael Bloom of Salvatore Ltd our compliance partner, has been helping SMEs to adjust to the new “GDPR Way” of doing things for many months now. He shares some of his thoughts on how things are progressing below:
1. These companies, from sectors like Property, Accountancy, Charities, Publishing and Hospitality, have one thing in common: they are unlikely to attract massive fines from the ICO. In summary, no need to panic!
2. What really compels SMEs to do something about the GDPR is having the ability to do business with others. Many clients have received requests from larger organisations asking serious questions about how they treat personal data. If these questions cannot be answered you are put at a serious competitive disadvantage.
3. Asking those questions of your own organisation is the key to being able to adjust to the GDPR standard. The overarching principle is accountability so if you don’t know what data you have, where you got it from, how you protect it, where you send it to and so-forth, how can you possibly demonstrate accountability? Being compliant is something you do every day. It’s being genuinely committed to protecting Data Subjects’ rights.
4. Some companies have still not “got it” – even very big ones that can afford expensive lawyers and PR teams. The concepts of ‘legal basis’ and ‘legitimate interest’ have been misunderstood widely, especially where the legal basis of consent for marketing communications is concerned. This is, admittedly, a complex area – but why send numerous separate consent emails to someone who can qualify for the ‘soft opt-in’ under PECR Article 22? If people are still getting it wrong, perhaps it’s another reason not to panic, while clarity emerges over the next few months.
5. People really care about what happens to their data. The impact of a ‘listening’ device in the home like Alexa is quite massive, for example, and when people really grasp the enormity of the potential consequences of giving up their personal data, they understand just why we need the GDPR.