Since its outset, the GDPR has been met with various views, ranging from the opinion that it’s a great step forward in protecting individual’s data to it being a pain in the backside for organisations to adhere to.
What isn’t in doubt is that unlike the hype around the Y2K scenario (which many tried to compare it to), data protection and its role in our day to day lives, is only going to become more important.
I have written previously about the different attitudes to data protection within different sectors and differing sizes of business. There are those that feel that they must comply and others, particularly SMEs, that think we’ll take the risk of not doing anything in the hope we don’t get found out. A lot of this thinking is due to companies thinking that GDPR is just about trying to escape a fine or being reported to the ICO. What they are not considering is that non compliance could be costing them business.
In the past few months we have dealt with 3 clients that have had reason to understand the importance of complying with the regulation.
Most recently a travel company contacted us with regards to their Privacy Notice. They had had a 15 year relationship with a large City based institution arranging their annual corporate event. This was always discussed in the March with the event held late Summer. By April no contact had been made by the client so a call was put in. The travel agency were informed that the company’s law firm had reviewed all of their suppliers Privacy Notices and those that were not compliant were not allowed to be used. The travel firm’s policy referred to the Data Protection Act 1998 and had little necessary content. Fortunately we were able to address this and the relationship was restored.
In another case a building company tendered for a large contract with major retailer and were told that whilst they were the best quote for the job there maybe some issues as they couldn’t prove that they were compliant with Data Protection laws. The retailer deemed this to be as vital in the contract as Health and Safety and Anti-Slavery Policies. Once again the situation was resolved and the company secured the contract.
Finally a printing company that provided business cards for a large multi-national’s employees was told that despite years of exemplary customer service they would not be able to be used unless compliance could be demonstrated.
What these anecdotes should highlight is the fact that large firms, as Data Controllers, are conscious of not breaking the law. The law states that they must only use Data Processors that comply with GDPR and should have data protection written into the contract. As a first step businesses will look at your Privacy and Cookie policies to check if you are taking appropriate steps to comply.
As an SME you may not think that you don’t need to do anything about GDPR and that it’s not affecting your business but it could be that you don’t know what you are missing out on.