How Small Businesses Can Survive in the Age of GDPR
Small businesses will likely need help with compliance. Here's what that might look like.
Opinions expressed by Entrepreneur contributors are their own.
You're reading Entrepreneur Europe, an international franchise of Entrepreneur Media.
The EU considers small and medium-sized businesses to be the backbone of its economy. According to its most recent annual report on European business, just 0.2 percent of companies in the non-financial business sector didn't fall into this category. These companies employed an incredible 93 million people, and 93 percent of them had fewer than 10 people.
Related: The Very Strong Business Case for Complying With the World's Toughest Data Protection Regulation
There's no doubt that small businesses are essential for Europe's development. However, despite their relevance, one could argue smaller businesses have been left to fend for themselves in the rush for GDPR compliance. Compared to large corporations, small businesses need to put a lot more effort into following the rules -- their budgets and resources just don't measure up.
This leaves many companies facing an ultimatum: Do they comply and base their entire operation on compliance? Or put themselves at risk for a crippling fine now that the May 25 deadline has passed? It's not a great position to be in. But, a significant amount might be opting for the latter. According to an IDC survey released April 3, one-third of European small businesses and more than one half of non-European small businesses had no plans to comply.
Here's how this situation can be improved, and what needs to be done for small businesses to survive in the age of GDPR:
Be as transparent as possible.
At its core, GDPR is all about transparency -- and well, giving EU citizens control of their data. So if a small business doesn't already have transparency etched into its DNA, it's time for it to resequence its genes.
Related: The EU's GDPR: 6 Things Online Business Owners and Marketers Can Do to Prepare
Now, all companies need to clearly display exactly why they're collecting personally identifiable information (PII), and all the ways this data is being used. This needs to be in the most accessible language possible -- that is, no lawyer gibberish allowed. This is full disclosure. What data is collected? How is this done? How is it used? Is it provided to any third party? This information should to be laid out neatly on the company website, but also be provided during the onboarding process in an application, or as each new piece of information is collected.
And if a small business is collecting information, it's also necessary to give users the chance to opt in, or out. This GDPR website writes: "Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it."
The EU needs to provide a clear guideline on compliance.
Keeping in mind that as of April, a large majority of EU small businesses had no plans to comply with GDPR, the EU should take it upon itself to help them. After all, the economy depends on it. According to the same EU report above, almost every member state recorded small-business employment growth in 2016 -- something that's expected to continue through 2018. In my opinion, this growth is at risk of being stunted if the EU doesn't help small businesses to be GDPR compliant.
"Western European companies are struggling to meet an imminent deadline, and this is more likely for small and medium companies. In addition, there are also misunderstandings and misconception issues that compromise on-time compliance," said Carla La Croce a senior research analyst at IDC.
The GDPR aims to simplify the regulatory environment for companies. However, for these companies to be successful, the EU Commission needs to provide small businesses with a clear understanding of what the GDPR actually means for them. This involves curating all the facts from the EU's official page on data protection to develop easy-to-understand guides or questionnaires.
Consider an official guideline of how to handle the PII of employees, partners or contractors, for example. Or a detailed quiz businesses could take to figure out if their websites were compliant. This doesn't mean small businesses shouldn't have to read the entire GDPR and review it with a lawyer -- they should. However, tools like these will provide small businesses with easily digestible takeaways, and a much better start to tackling the new regulations internally.
Related: With GDPR Restrictions on Using Consumer Data, Marketers Will Need to Start Mining Moments
Small businesses should learn from the big corporations.
It can be hard for small businesses to work through the GDPR alone. However, they have the opportunity to look at how big corporations or larger industry players are complying -- and then try to follow suit. Large corporations boast teams of lawyers that work to address the GDPR, and have the time and resources to invest in compliance. small businesses can piggyback off this, and try to copy what they've done.
The first step is to read users agreements closely to understand how these big companies collect data, so small businesses can see if they work similarly. It's also important to look into a larger corporations's user experience design to understand how exactly they're getting users to comply or "opt in" to data collection. Is it during the onboarding process -- or more likely, as each new data point is collected?
Additionally, it's prudent to keep up with how each organization is laying out its GDPR compliance methods -- this way, small businesses can copy this data disclosure format. Facebook did so in a blog post in April, for example, in which it said it would start asking users to agree to the updated terms of service and data policy, ask users if they wanted Facebook to use data from partners, and start allowing facial recognition technology if users agree, among other things. The company provides more information on its website. Google and LinkedIn have similarly published their methods.
However, it shouldn't end there. Small businesses need to pay attention to how larger corporations are performing with GDPR compliance, too. If for some reason they've been found non-compliant for a certain action, it's a trigger for small businesses to look internally and ensure they're not doing the same.
So, yes: GDPR compliance poses some difficulties for small businesses. However, actions can be taken to make the burden a little lighter -- including the EU Commission providing clear, small business-centric guidelines and companies themselves working to be transparent and learning from bigger players. With this, small businesses will have an easier time surviving the age.