GDPR: Data protection overhaul hits small businesses

Are you fed up of emails from businesses imploring you to stay on their mailing list?

Spare a thought for the small firms navigating the biggest shake-up in data protection rules in 20 years.

The General Data Protection Regulation (GDPR) comes into force on Friday - to cut a long and complicated story short, the new laws tighten up how companies gather data about you and how they use it.

The new rules bring in multiple changes - including the need for "genuine consent" with "positive opt-in" - hence all the emails to anyone on a mailing list.

Maria Stella, founder of food company Sorai in Abergavenny, is one of those racing to make sure she is ready for the deadline.

"It's a struggle to digest the new law on GDPR. There is no one straight-forward free information platform where you can get advice and find out more about what you have to do," she said.

"As a small business it is not easy to hear about or find out about changes in laws and regulations as we do not have the capacity nor resources to look or delve on the matter. "

Ms Stella added that the authorities should have set up a support clinic for small business to attend and look specifically at their requirements.

Leah Blanc is director of the Simply Bare salon in Cardiff. They have to take personal information from clients such as contact information, next of kin, and medical conditions.

She said she did not receive any warning or information about GDPR.

"It's been very stressful tricky and time consuming," she said.

"As we are a salon, we always email our clients their appointment confirmation as well as a reminder email the day before their appointment.

"I totally understand the benefits of GDPR, but just wish we had received more information about it.

"It is going to be a nightmare to implement, but we will get it done...it might take us a bit longer than big corporate companies but I think our customers will understand."

Rebecca Lees is creative director at PR consultancy Chatterbox Comms in Taffs Well near Cardiff. She attended a training session run by the Information Commissioner's Office, which she described as useful for a "broad overview".

"On the whole, though, it has been time consuming and also a little confusing, with different information from different sources," she said.

She identified another problem with GDPR - making her email stand out from all the others arriving in customers' inboxes.

"We've sent out two rounds of emails to everyone on our contacts list, asking them to opt back in, and we've had quite a good pick-up. One of our emails was a little unusual in that we imagined what Donald Trump might say if he were tweeting about GDPR, so hopefully that caught the eye."

Jo Ashburner Farr, CEO of social enterprise Red Dragon Flagmakers in Swansea, said they have been heavily supported by the Wales Cooperative Centre which ran seminars on the new rules.

She is positive about the impact of GDPR on the business.

"This has been a good thing for us as we've been running a database of 10,000 subscribers with only about a 26% response on mailouts, so [it's been] a great opportunity to declutter...Working the other way we've seen a noticeable reduction in the amount of spam we get as a business."

A UK survey of 906 firms by the Federation of Small Businesses found only 8% had completed their preparations.

The new rules introduce the possibility of hefty fines for businesses if data falls into the wrong hands and they must report breaches.

However, the Information Commissioner Elizabeth Denham has previously said she recognised some companies will need time to become fully compliant, and that they will look for "commitment" and not "perfection".

The changes have left many businesses scratching their heads - and on hold on the help line at the Information Commissioner's Office's (ICO), which has been "extremely busy".

About 23,000 organisations have called it since it was set up in November and a spokeswoman apologised to those who have had to wait longer than they would like to get through.

"With several million [small and medium-sized enterprises] in the UK, the quickest way for them to get help with their questions about data protection and the GDPR is to self-serve on the ICO's website where there is a series of frequently asked questions with answers.

It also recommended that businesses check if their trade body or sector association had produced any information to help them.

Ben Cottam, FSB Wales head of external affairs, said his organisation is getting hundreds of calls about GDPR.

"In the first instance the ICO should look for an approach that supports compliance rather than enforces compliance," he said.