How the GDPR impacts and suffocates small and medium businesses

A load of rules of the GDPR apply to small and medium businesses as well. However, many still believe that this isn’t the case. Moreover, many small and medium businesses are starting to feel the impact of preparing for GDPR compliance, if they are doing so at all to begin with.

Just like all businesses in the EU (and many outside the EU) should, we’re preparing for the GDPR, short for General Data Protection Regulation. In the process of doing so – and also before we started doing so – we put out articles on GDPR-related topics to help others.

92% of businesses in Europe are not prepared for the GDPR (data November 2017)

Some of these articles concern basic things such as personal data, data subjects and identifiers, the various data subject rights, what a data controller and data processor is, what the GDPR fines are and so forth. Other go deeper and look at topics such as when data protection impact assessments are needed and how they can help in demonstrating GDPR compliance, just as codes of conduct do.

What we notice, at the start of 2018, is that the basic stuff gets read most, a worrying sign, knowing that we have quite some people from large organizations among our readers. We’re a very small EU-based business ourselves. And each day we meet or see people who believe GDPR doesn’t apply for small and medium businesses while it most certainly does.

Sure, there are some limited exceptions in the GDPR for small and medium businesses but far less than what people seem to believe.

GDPR in small and medium businesses - the major rules of the GDPR apply to small and medium businesses often with unintended consequences and a significant economic impact

How (un) prepared organizations and small and medium business really are for the GDPR

So, each time when we stumble upon research stating that xyz percentage of businesses will be ready for GDPR (with xyz being more than 50 percent) we know it’s a myth.

51% believes the GDPR is too complex for small and medium businesses and for middle market business (data November 2017)

Because we see the reality of preparedness, let alone awareness, regarding GDPR for small and medium business as well as the gaps and misunderstandings around GDPR in the large organizations we’ve worked with or know. A simple one-day look at the websites of 20 multinationals was sufficient to see that much and research confirms that GDPR compliance gap.

Forget all those numbers that 50 percent or more of organizations processing personal data of EU citizens, regardless of where they are, will be compliant in time. They are myths that are fed by the fact that many companies looking at GDPR readiness of the companies they interview focus on large organizations and only some look at GDPR for small and medium businesses.

The majority of companies, however, are small and medium business, certainly in the EU and certainly if they are data processors who deliver services for controllers who have far more leverage when it boils down to liability, particularly the larger ones.

Small and medium businesses are far from ready for the GDPR. As said many small businesses think that GDPR doesn’t apply to them or show clear signs of lacking GDPR awareness.

It goes for ALL the small and medium businesses we work with too, in our capacity as a controller. Whether it’s in the scope of subcontracting, tax obligations, whatever: not a single one of our ‘processors’ can offer us the necessary guarantees or contracts they need to offer us. When asking for them they look as if we’re from another planet.

A message to EU supervisory authorities and governments

Don’t think it’s much better in other companies. The gap between thinking what GDPR compliance means, let alone the level of compliance, and the reality is huge. Sometimes it feels as if no one cares but in all fairness we also have to point fingers to national authorities and governments as well, in the hope that the European Data Protection Supervisor and Article 29 Working Party (or European Data Protection Board) hear us.

Cutting budgets to get GDPR compliant is common practice in a majority of EU businesses. For small and medium businesses, delivering services to these businesses, the impact can be disastrous.

Some do great work (like the ICO in the UK to name one, yes, the UK, that is leaving the EU), some do OK work, others really offer nothing useful or just some basic things really everyone should know by now.

Even television stations that are ‘targeting’ businesses in many EU countries hardly talk about the GDPR at all. And general media? Even worse. But it is what it is: as far as the law is concerned you are supposed to know it even if your government is too busy debating on Twitter and Facebook, rather than taking care of small and medium business, to create awareness or tell you about it. And when EU consumers start exercising their GDPR rights (and, boy, they will) many will wake up in a nightmare. By the way: is it normal that in 2018 additional guidelines keep being published by supervisory bodies as if you can get compliant in just few months?

The unintended but certain economic impact of GDPR on small and medium businesses

But we hang on and keep working to get GDPR compliant as much as we can and at the same time informing others, even if it suffocates our business big time.

Small and medium businesses are not aware of the (consequences and duties regarding the) GDPR enough.

In our native EU country there’s a saying that, as a small and medium business (which, for our US friends are smaller than what you call small and medium enterprises) that follows rules, certainly the first six months of a year you work to pay your taxes and then start making money for your business. With our own preparations for GDPR we can easily add two months to that. For a small business that’s a disaster, for big controllers it’s peanuts because they can save somewhere else. And that’s exactly what they do, among others by cutting budgets for the small businesses they work with and putting them under pressure to lower prices. In our case that means that we’ll probably work not six or eight months before making money this year but rather nine.

Yet, enough whining and complaining (if you have projects for 2018 don’t hesitate to contact us though, we can use them, preferably content marketing and SEO, digital strategies, desk research, analysis, consulting, conducting campaigns on this site, all the stuff that’s safer from a GDPR perspective as far as we’re concerned and ready).

Only 8% of surveyed European business is ready for GDPR (data November 2017)

Here are some facts from a survey that seem much more in line with GDPR compliance in reality as we see it from November 2017 including the reality of GDPR for small and medium businesses and supporting many of the things we describe in this post.

According to a survey, conducted for audit, tax and consulting network RSM, 92 percent, let’s repeat that, 92 percent of businesses in Europe are NOT prepared for the GDPR.

And there is more:

  • More than a quarter lacks GDPR awareness: 28 percent are not familiar with the GDPR.
  • More than half believes the GDPR is too complex for small and medium businesses and for middle market business (51 percent).
  • Only 8 percent of surveyed business is ready for GDPR. At least, so they say and seem convinced. We would really like to check out a few of those.

Preparing for GDPR equals cutting budgets somewhere else – with an impact on small businesses

And how do those preparing for GDPR feel the impact of GDPR on business operations?

Quote: “The survey highlights that a concerning number of businesses are cutting back in other areas including plans to create innovative new products (23%) or to fuel growth through international expansion (22%)”.

We don’t need the survey to know that cutting back includes cutting back in working with small businesses and independent contractors who make a living in helping businesses to create those innovative new things and far more as we tried to make clear throughout this post.

Still, little more than half of respondents feel positive about the GDPR and the importance of personal data protection. And so do we or we wouldn’t be writing about it.

A concerning number of businesses are cutting back in other areas to get GDPR compliant.

But when it boils down to the impact of GDPR for small and medium businesses (not all of course, everyone has a different business), the preparations for GDPR, the consequences and impact of GDPR on how customers cut budgets (adding pressure on top of economic woes) and the consequences when data subjects start exercising the rights they have towards small and medium business under GDPR, in many cases simply will make victims, indeed maybe including us.

Just to give you an idea: the costs of taking GDPR trainings, seeking additional certifications in the scope of our work and drafting the needed processor contracts alone is equal to roundabout one month of our revenues. So, in the end we can be happy if we start making money in November. However, we were stopping our whining. The most scary thing of all: a lot of small and medium businesses we know have no idea what is really coming.

More results from the mentioned RSM research that, as said, is far closer to reality as we see it.


Top image: Shutterstock – Copyright: patpitchaya – All other images are the property of their respective mentioned owners. Although the content of this article is thoroughly checked we are not liable for potential mistakes and advice you to seek assistance in preparing for GDPR.