Small businesses at risk of being overwhelmed by data protection burden

DISCLAIMER: All opinions in this column reflect the views of the author(s), not of EURACTIV.com PLC.

Most UK small businesses are not ready for stricter data protection rules. [Blogtrepreneur/Flickr]

With eight months until the introduction of the General Data Protection Regulations (GDPR), the countdown is well and truly on but businesses are not ready, writes Mike Cherry.

Mike Cherry is UK national chairman of the Federation of Small Businesses.

The Regulation marks the first wave of a privacy reforms which could overwhelm small businesses across Europe. Alongside GDPR, small businesses will now be faced with new regulations on e-privacy, geo-blocking and the free flow of non-personal data.

With small, individual changes, smaller firms would have the time to digest what they mean for their business and make the necessary changes to meet the requirements of these new rules. However, the cumulative effect of so many new laws on data, in such a short time period, will simply be too much for many in the small business community to handle.

The combination of all these regulations will see small businesses picking up the bill for increased costs. Businesses are particularly going to feel this if they need to hire external support to comply with new rules, are faced with diminished visibility due to restrictions of third party cookies, or find themselves being mandated to sell products to people in countries they have no desire to. There is a real risk that the changes will have a wider ‘chilling effect’ on the use of data by smaller businesses. Not least on smaller tech start-ups where data is the key ingredient in their business models.

Earlier this year, YouGov surveyed British businesses about the upcoming data protection changes, specifically GDPR. The results were concerning, with just 29% of UK businesses saying that they had started preparing for GDPR, while 38% said they were unaware of the new rules. These statistics paint a stark picture and it can only be assumed that many of these businesses are equally unaware or ill-prepared for the other changes coming.

As things stand, a delay in the introduction of any other data protection regulations, such as the proposed ePrivacy Regulation, must be considered until small businesses have had time to fully implement and assess the impact of the GDPR. A key element of the better regulation principles which the EU institutions have pledged their support is the desire to avoid duplication and to enable one significant piece of legislation to land before adding another in the same area.

It cannot be forgotten that smaller firms have limited human, financial and technical resources at their disposal compared to larger firms who will be able to better cushion the impact of multiple changes.

Should an agreement be secured on a delayed start, this would ensure adequate time for a proper impact assessment of the ePrivacy Regulation, in particular how the proposed changes will affect the online visibility of small businesses and on those business models that utilise third-party cookies.

There is no denying that the current data protection regulations have not kept up with the pace of the digital revolution. In 2002, when the original ePrivacy Directive was adopted, Mark Zuckerberg was still two years away from launching the first version of Facebook.

Small businesses also understand the positive impacts that regulation can have. As our own research has shown, a majority of small businesses appreciate that regulation can provide a benefit in helping to build trust with customers.

The changes being proposed by the European Commission will put privacy at the heart of data protection, will put a greater onus on the security of people’s data, and will help make the Digital Single Market a closer reality. Unfortunately, these benefits won’t be fully realised if smaller firms do not positively embrace the new data protection landscape. This can only happen if they are given the time to understand the changes and implement correctly.