A guide to implementing GDPR: Lessons learned from UK businesses

The General Data Protection Regulation (GDPR) came into force on 25 May 2018. The biggest overhaul of data protection for years, everything from cookie notifications on websites to a flood of emails explaining new privacy policies indicated that many businesses completed their preparations only just in time.

Now we are more than 100 working days after GDPR, the other side of this picture reveals numerous businesses didn’t meet the May deadline.

There will be businesses that still aren’t operating under the correct data protection policies or measures. Each one that isn’t complying with the GDPR risks fines of up to 4% of annual global turnover or €20m, whichever is greater.

And that’s before we talk about reputation damage, where clients are unlikely to trust a business any longer if it’s identified as having illegal data protection practices.

Implementing GDPR: Lessons learned from UK businesses is a guide filled with advice about contemporary data protection. It includes interviews with people in various sectors and sizes of business – from small companies such as prize promotion agency Prizeology to large businesses including financial services consultancy Brickendon – on how they implemented their own GDPR measures.

If your business hasn’t implemented the GDPR’s measures, or you would like to check your existing implementation, then this guide will help you. It features input from those responsible for implementing the GDPR in:

• Small businesses
• Accountancy practices
• Large businesses

There’s also insights and advice for those who deal with payments and payroll within a business.

Here’s an excerpt from Implementing GDPR: Lessons learned from UK businesses:

Prizeology – implementing the GDPR in a small business

Sarah Burns owns Prizeology, a prize promotion agency that help brands, agencies and businesses engage with their customers and create awareness.

Speaking to Sage in early 2018, several months before the introduction of the GDPR, she referred to it as “a significant drain on my resource”.

She continued: “We manage a lot of data and we keep all the details for a certain amount of time because we’re obliged to for regulatory purposes. GDPR is an important administrative process because it will be something that all our clients require but it’s taking up an enormous amount of my time.”

The work for her and her colleagues had begun 12 months prior to the GDPR introduction date, and it took six months to create the necessary documentation alone.

Speaking to Sage once again as the 100 day post-GDPR milestone approached, she’s more sanguine. Given the chance to go back in time to tell herself one thing about implementing GDPR, it would simply be: “It’s going to be OK!”

“It’s changed how we conduct some of our business,” she adds. “But I genuinely feel that the changes we have made are very positive. While I’d have liked for it to have been less time consuming, I think it has been worth the investment.

“While we have always had good processes in place, GDPR gave us the opportunity to review and fine tune further, which I think has been to the benefit of our business, our customers and consumers.”

Unforeseen issues

One unforeseeable issue she’s experienced is that some of her clients, which tend to be big companies, have yet to get their own GDPR house in order.

She says: “We’ve had a recent issue with procurement for a large global brand who used the GDPR as a reason not to onboard new suppliers –because creating a data-sharing document for a new supplier is apparently a difficult issue! We’re finding the interpretation of GDPR among our clients and customers is varied and there’s definitely a lot of misinterpretation.”

The inverse of this is that Prizeology’s own thorough preparedness has been positive. Sarah says: “It’s been great for securing further business with existing clients and winning new clients. Showing that we take data management seriously has actually been a tremendous boon. Many of the individuals we work with have been relieved that we have everything in place so they can continue working with us.”

She and her team have even able to help advise some of her clients on the most compliant way to collect data, which again increases the attractiveness and value of the company’s service.

Approaching the GDPR

What advice would Sarah offer businesses updating their procedures for GDPR?

“Break it down into bite-size chunks and implement what you can, when you can,” she says. “Don’t be sucked in by expensive GDPR ‘experts’. There are plenty of online resources that can help. In the build-up to GDPR, the excessive media coverage and scaremongering made if feel like an enormous task, and while it’s definitely not a small job, it is manageable.”

As Sarah’s story illustrates, smaller businesses can suffer disproportionately from the costs – both financial and time-related – of implementing the GDPR. However, the small size of a business can be an advantage because it’s more likely a single individual or small team will have the necessary overview of all functions to see where the changes need to be made.

Here’s how the GDPR impacts common areas within smaller businesses and what you can do to adjust practices.

Marketing

Put simply, with existing databases for marketing leads you will have to undertake two tasks, at least:

1. Legally review the consent that was used originally and see if it’s compatible with the GDPR’s requirements.
2. In the likely event that your existing consent isn’t sufficient, and there’s no other basis for lawful processing of the data, you will have to contact each and every one of the individuals in the database to seek new consent. If you don’t receive fresh and specific consent for the ways in which you’d like to process the data then that individual’s data must be suppressed or deleted.

It’s been estimated that the above requirements could mean databases such as those for sales and marketing are reduced by as much as three quarters.

However, it’s also been pointed out that those customers who respond with fresh consent are proving themselves more valuable because of their willingness to engage with your business.