Greg Carter on GDPR – what are some emerging risks for SMEs?

Greg Carter is CEO of business finance provider Growth Street

It hasn’t been long since companies everywhere were scrambling to meet the 25th May deadline for the GDPR to become law. And with new maximum penalties of €20m or 4% of global turnover, the game has changed for those businesses who may have previously been complacent about their use of customer data.

Already, there are rumours that Dixons Carphone could be in line for a sizeable fine after a data breach was announced in June. It’s not yet clear that the Dixons Carphone breach will be investigated under the new GDPR rules, but it’s a warning for all businesses that in these cases, public reputations as well as company bank balances can be on the line.

For SMEs, however, the threat of bigger fines are only one part of the broader GDPR equation. For instance, it could well change the way many businesses market to prospective customers. It may also affect the way SMEs build and scale international trading relationships. It’s clear that legislation as wide-reaching as the GDPR may place a wider set of demands on growing businesses than many firms may have at first realised.

Welcome to the GDPaRty

I think the preparation most firms will have gone through pre-GDPR is actually a very useful process. Since May 25th, the onus has been on businesses to take greater control over all forms of user data. Some, like pub chain J D Wetherspoon, have taken drastic steps: Wetherspoon deleted its entire customer database in 2017, seemingly to wipe the slate clean and build their lists from scratch.

Another prominent effect of the GDPR for SMEs could be changes in the way businesses market themselves to potential customers – especially companies trading B2C. The era of cold emails to random sets of bought email addresses could well be over – instead, businesses may have to focus on engaging their existing audience and thinking cleverly about ways to reach new segments. (However, it’s worth remembering the thousands of businesses that have historically depended on relatively cost-effective tools like email marketing to kickstart new conversations. For these SMEs, the GDPR is likely to only make a hard job harder.)

Business owners around the world should also be considering the GDPR’s ramifications. By defining new standards regarding the protection of citizens’ data, the European Union has set the tone for any organisation wishing to interact with EU customers. Clarifying individuals’ rights over their personal information, as well as allowing people to better define exactly who can access that information, could have profound effects not only in EU territories, but across the world.

I speak to businesses every day who are looking to grow and expand. Exporting is a big part of many ambitious businesses’ growth strategies. I foresee the GDPR potentially having important implications for UK and EU companies which export to international markets. For instance, developing trading relationships with partners in another country may involve the transfer of certain pieces of customer data. Will this make it unnecessarily difficult for businesses to export, or will it just mean customers having better oversight of where their data is being used at any given time?

Lessons to be learnt

Protecting customer privacy is a complex issue. But I believe that in the long run, the SMEs who get on top of their data and make every effort to comply with the GDPR’s stipulations will be well-positioned. There are elements of the GDPR, such as its rules around intellectual property and trading overseas, that may appear confusing for those SMEs who don’t have legal and operations teams in-house.

Firms need to know not only about GDPR’s impact on their own business models, but the wider implications for customers, partners and suppliers. Although the big news stories are likely to centre on large corporations falling foul of the GDPR, SMEs should not be complacent.