Finally, May 25th rolled around and GDPR took legal effect. For those who spent the last few years living under a rock only to resurface in June, GDPR is the reason you’ve been asked permission to collect cookies when visiting websites and why your inbox was inundated with emails about updated privacy policies.
Now that the dust has started to settle and businesses have had time to adjust to the new regulation, what progress have we made as a nation in protecting the rights of our citizens?
The bad news
In February this year, the Federation of Small Businesses (FSB) that stated 90% of small firms were not prepared for the impending rule change. Come May 25th, this statistic hadn’t much improved. Reflecting on their findings, national chairman of the FSB Mike Cherry stated: “the likelihood is that many of the UK’s 5.7 million smaller businesses will not be compliant”.
Considering the well-publicised penalties for non-compliance with the GDPR, these figures are troubling to say the least. Having had two years to prepare, the number of firms still uncertain or even unaware of their new requirements is not only concerning, but somewhat confusing.
How did we get here?
, EY’s risk advisory senior manager, a large portion of the small businesses who were not “GDPR-ready” by May 25th were those that had prioritised certain aspects of the regulation over others in a struggle to complete everything over time. Rather than opting for a step-by-step or “clause-by-clause” approach, businesses focused their attention on the areas that seemed the most business critical. In doing so, they missed or misunderstood several key aspects of the regulation.
However, the complex nature of the legislation itself didn’t help things either. Despite the abundance of blogs, business lunches, conferences and workshops aimed at educating leaders, managers and employees on the matter, the simple truth is that the regulation left a lot of room for misinterpretation.
Based on general principles rather than stringent rules, GDPR shape-shifted with each business’ interpretation of its aim: some falsely believed it was the end of their marketing altogether while others wrongly thought GDPR didn’t even apply to them due to their country of residence. As the clock ticked down to the GDPR deadline date, small businesses naturally found themselves clinging to the principles they at least understood to be important and parked the rest.
The silver linings
Already, GDPR compliance is acting as a competitive advantage for firms who have demonstrated a commitment to data protection. Of course, this comes as no surprise: good behaviour builds trust. Those who understand that GDPR is not a deadline, but a fundamental part of the business’ core strategy will naturally be favoured by customers over those who lag behind own regulatory compliance. Since the date of enforcement, this has been illustrated by the number of GDPR focused supply chains who have retained and won contracts over their non-compliant counterparts.
Now that the initial panic has subsided, companies have the chance to turn a compliance burden into a competitive edge - but first, they must ensure their workforce is equipped with experts to champion the cause and leaders to weave data protection into the fabric of the company strategy. As cyber-crime becomes increasingly prevalent and headlines of high profile data breaches fill the news, the real winners will be those with a strong defense.
At ojo solutions, data and information security are a core focus. We help firms maximise the value from their technology investment and help drive digital transformation undertakings from the ground up. Get in touch with us today and find out how we can help you.