The year has kicked off with some pretty gloomy stories in the media about how small business owners are feeling uncertain in their future prospects as we head towards Brexit. I couldn’t disagree more.
Having steered their organisations through the ups and downs of volatility in 2017, they now have measures in place to mitigate against key risks, from fluctuating currencies to finding new markets.
Frankly, they are riding the Brexit wave with confidence. But what they now need is a government which has also done its planning. Indeed, they tell me that their greatest frustration is the amount of red tape they have to negotiate on a daily basis.
More GDPR detail needed
One piece of red tape that is of particular concern is the EU’s General Data Protection Regulation (GDPR) which, when it goes live in May, will apply to any company that stores information identifying a European Citizen
Don’t get me wrong. We all appreciate that there is a need to update regulations so they temper what is a rapidly changing risk landscape for owners – the collection, use and protection of personal data. What is troubling is that detail is thin on the ground.
Much of the fine print will be determined by the courts as people bring businesses to account in coming years. This does little to reassure SMEs which are looking to meet their obligations and avoid potential fines of up to €20 million or 4% of their annual worldwide turnover.
What data protection really means
So, what can SME owners do to protect themselves? There is some guidance out there for small businesses (see the Information Commissioner’s Office FAQs for small organisations, for instance). You could consider getting expert advice from someone who knows your business. But I also tell my clients to embrace GDPR and open their eyes to the benefits.
Let me explain with an example: what would you do if one of your employees suffered a bereavement? Your standard policy may be to send flowers to their home address, showing that you are thinking of them in their time of need.
But, from May, that may constitute an inappropriate use of their personal information and could mean the employee reports you to the regulator. So, what should you do?
Protect your policies
Firstly, don’t just end your policy of caring. It shows you value your employees’ welfare and that they are an important part of your culture. Instead, think about how you can gain and record their consent to such communications.
You might send out an annual questionnaire, for instance, which asks your employees how they would like you to get in touch in such circumstances. This not only reinforces your policy of caring, but also allows you to record their consent for how they would prefer you to get in touch, and how – an important part of GDPR. It also means you’ll find out if they have an allergy to flowers or that they would rather the money was given to charity.
Time to record compliance
Another example I have come across lately is the matter of employee references – should you provide these on request once they have moved on from your organisation? This may also provide to be a sticking point that does not come under ‘everyday business activities’.
Again, it’s about communication. Most companies now offer exit interviews when an employee decides to leave. Perhaps it’s time to record if they are comfortable with you giving out references, and the scope of that information?
At the end of the day this regulation will be a living, breathing beast, both a friend and foe to us all – both professionally and personally.
So, make being friends a priority today – after all, regulators will look at how much effort companies put in when considering the penalty for failing to comply.
How do you think GDPR will affect your business?
Find and contact your local Haines Watts office