The dreaded GDPR has arrived, the world hasn’t ended, and your business hasn’t attracted the attention of the Regulators.

So, you can ignore data protection and focus on something more exciting, because you’ve dodged that bullet! ………

….Or have you?

Statistically you haven’t dodged it at all. It’s merely that the bullet with your particular business’s name carved into it hasn’t hit yet, sorry. And again, statistically there is a greater chance that it will hit in the next year or two than it won’t. So, to misquote that phrase made famous by Clint Eastwood, “do you feel lucky?” Because if your business has not taken appropriate steps to put in place measures which could protect the personal data it controls or processes, then that’s what your relying on……. luck!

Like it or not, the GDPR is here to stay, enshrined into UK law by the Data Protection Act 2018.

In the course of advising businesses regarding the data security measures they need to adopt, we’ve witnessed a range of responses. Some organisations are proactively embracing the new regulatory environment seeing it as a means of building trust with customers and business partners whilst differentiating their services from their competitors. More prevalent are the businesses still wanting to do the right thing but either, never quite getting around to tackling it because they’re not confident regarding what they should actually be doing. Or, those who’ve implemented some measures, but often don’t realise they’re falling short, because those measures are inadequate as a result of having misunderstood what the regulations require of them and in the process, they’ve given themselves a false sense of security; literally.

If you’re unsure which of these categories your business might fall in to, or just want some reassurance that what you’ve done to date is on the right track, here’s a quick and simple solution.

We recently produced a data protection training video for Marketing professionals, with our partners at the Lonely Marketer. But a lot of the content is pertinent for companies in general, not just marketing specialists. So here is a free exert dealing with compliance, which you can use as a quick checklist.

In the coming months as we run up to the first anniversary of the implementation of the GDPR we’ll release some other exerts, as well as blogging about some of the key elements which we find businesses are missing or getting wrong.

In the meantime, for those content to watch the video to check if they’re on the right track, we hope you find the video useful?

But, for those still not convinced that they really need to bother with complying, please read on? Here are four things you might like to consider:

1. Regulatory Enforcement. Whilst the noise around the implementation of the GDPR has died down, it hasn’t gone away. We’re probably in a phoney war at present. The UK Regulator, (ICO) hasn’t made any pronouncements on any GDPR infringements yet, which could give organisations a false sense of security. But the direction of travel is clear. At the back end of last year, The Financial Conduct Authority (FCA) fined Tesco’s bank £13 million for a data breach and the French Regulator (CNIL) has just fined Google €50 million for privacy infringements under the GDPR. The first high profile fine under the new Regulations. The regulators are “gearing up.” They’ve indicated that they’ll work with those organisations who are trying to do the right thing but come down heavily on those who haven’t bothered, or worst still are intentionally misusing personal data.2. SMEs can relax? Tesco, Google, Facebook and the like, they’re all big companies. A common misperception is that data Protection is something only big companies need to worry about. Unfortunately, the reason we hear about them and not the little guys is that most SMEs aren’t newsworthy. But, if you’re an SME (employing 250 staff or less) are you aware that 58% of cyber attacks are on SMEs? Why, because they’re a soft target. Soft because they either don’t bother or don’t know how to do some of the very basic things to keep their data and their business safe. And of those SMEs attacked, 25% will have to cease all operations whilst they deal with the fallout from the attack and 60% of those businesses will never reopen their doors and instead go bust because of the costs of rectification, reputational damage and lost business.

3. Consumers attitudes are changing. The public are getting cuter regarding what organisations do with their data. At first hand, we’ve seen a noticeable trend, particularly in the property sector where disgruntled consumers are using their rights under the GDPR as a stick with which to beat agents whom they have a dispute with. Very often those data protection complaints are ill conceived; the data subjects frequently misusing their rights, often through ignorance. But the problem is compounded, because the business they are challenging is not confident, often not properly understanding the data subject’s rights themselves and haven’t put in place appropriate measures to deal with such challenges. We’ve seen businesses then tie themselves in knots, consuming a disproportionate amount of management time, distracting managers and directors from their “day jobs,” when, with a proper understanding and the right measures in place they could have killed the whole issue dead in a moment.

4. Turning it to your advantage. To end on a positive note, there is opportunity with data protection and we’re finding some businesses are embracing that. Elizabeth Denham the UK’s Information Commissioner stated that the GDPR and data protection is not merely a compliance issue and, that businesses which adopt that view fail to understand the changing data protection environment. Customers, (data subjects) are starting to take a greater interest in what organisations are doing with their data. Businesses which abuse the trust placed in them by their customers or business partners, either by misusing the data they’ve collected or who share it, loose it or have it stolen risk incurring the ire of those parties, probably to the long term detriment of their business. Alternatively, for those who promote data security as a feature of their product or service and who can provide assurance of their data security credentials it is likely to become a key differentiator.