How small businesses are tackling GDPR

The impending General Data Protection Regulation, which comes into force on 25 May, presents one of the most challenging overhauls that many marketers will have ever faced. Nowhere is that truer than in small businesses.

While a lack of awareness and resources is putting many SMEs in danger of being on the wrong side of the law, those that have taken proactive steps with appropriate advice could even be able to teach larger companies some lessons. The simplicity of their approaches and the benefits some are already seeing in terms of customer engagement could represent in microcosm how bigger brands should address the task of compliance.

Research from the Federation of Small Businesses (FSB) suggests most SMEs are cutting it fine when it comes to meeting the deadline, however. In late February 2018, three months from the enforcement date, it found 90% of small firms were still not fully prepared, while a third hadn’t even begun preparing and 35% were only in the very early stages.

“The GDPR is the biggest shake-up in data protection to date and many small businesses will be concerned that the changes will be too much to handle. It’s clear that a large part of the small business community is still unaware of the steps that they need to take to comply and may be left playing catch-up,” says Mike Cherry, FSB National Chairman.

READ MORE: GDPR – Five questions marketers must answer before May

Many small businesses still unaware

“I only really thought about GDPR when you called up to talk to me about it,” says Chris Bingham, founder and owner of Berkshire-based beer company, Binghams. “But I think I might also have had an email from Her Majesty’s Government about it so it is on my radar.”

The brewery sells direct to customers from its HQ on the outskirts of Reading, as well as supplying a number of independent pubs, restaurants and local supermarkets.

“Our main customer database is made up of the emails from our brewery club and then the B2B side for talking to publicans. We run everything on mailchimp and there is an unsubscribe function,” he adds.

Bingham is the first to admit that he hasn’t really considered the implications of GDPR until very recently and is actively seeking information. Like many SMEs however, he feels he’s lacking guidance on where to find it.

“I would probably Google and then go to the Information Commissioner’s website to see if they have anything sensible on it. I’m also a member of FSB so that’s a three-pronged attack.”

Many SMEs will be relying on partners such as their agencies and law firms for GDPR guidance. “We were alerted to the whole thing by our digital marketing agency because, up to that point, we didn’t know anything about it,” claims Jo Bausor, head of marketing for the Henley Festival. “We felt it hadn’t been communicated about by anyone [else].”

The number of people we’ve been emailing has reduced massively but the engagement is better.

Miles Thorp, Banana Moon

A five-day international music and arts event, the Henley Festival entertains a 30,000-strong audience annually. It is in its 36th year and has a number of regular attendees as well as first-timers, so its customer database is wide-ranging.

Bausor notes the process it undertook to address GDPR compliance was relatively simple. All the Festival’s data is held in a single database, from which it sent a series of three emails urging customers to resubscribe. On the third ‘strike’ with no response, a customer was removed from the database.

Miles Thorp, digital director at personalised clothing ecommerce site Banana Moon, also looked for outside help: “We’re outsourcing it to our solicitors. They put a package together and we didn’t have a lot of involvement in it. They just gave us actions we needed to follow. At the moment, that’s doing things on the website to make sure we’re completely clear about what we use information for.”

READ MORE: Why ITV is treating GDPR as an opportunity rather than a challenge

Building internal capability

While many SMEs are finding that outsourcing or at least relying on external expertise is the kick-start needed to get the compliance train rolling, it’s clear that someone internally has to take ownership of compliance – as well as bringing the rest of the organisation with them.

Steven Roberts, head of marketing at Griffith College, Dublin, notes that it fell to him to get educated on data compliance. “I did the data protection course so became a certified compliance officer but one of the key things has been to identify the data users across the organisation and bring them together. That might be IT and HR, heads of department but we set up a committee to manage GDPR.”

There can be a concern in SMEs that people carry out a wide range of responsibilities. In large organisations, where job roles have definitive boundaries, the opportunity to accidentally stray into data misuse is low. In smaller businesses there is often a need for everyone to act, but that’s not necessarily healthy from a data protection perspective.

“You have to identify a number of key owners,” Roberts advises. “If others see influencers in the organisation taking the right steps, there is a filtering through of awareness and understanding that this is a significant development.”

“I see a massive benefit. The house-cleaning is something we should have been doing a long time ago,” Banana Moon’s Thorp admits. “We shouldn’t be forcing stuff on people that don’t need it. It’s a waste of our time and a waste of theirs. The number of people we’ve been emailing has reduced massively but the engagement is better. Rather than sending massive email blasts, they’re triggered by personalised content.”

Roberts agrees: “The fines are the stick but the carrot is that databases become more focused, contacts that want to receive messaging get it and there’s real value in giving customers what they actually want.”

Getting more from less

Henley Festival’s Bausor has also seen benefits from the pruning exercise: “We were really shocked that the database went from 24,000 to 8,000 and worried that it would affect ticket sales and engagement. [The people we have left on the database are] really engaged, our open rates are higher and unsubscribes lower. It saves me a few thousand pounds on data cleansing.”

The process hasn’t been without teething problems, though. In her first round of emails asking permission, Bausor discovered several customers thought they were being phished, so out of character was the communication.

The fines are the stick but the carrot is that databases become more focused, contacts that want to receive messaging get it and there’s real value in giving customers what they actually want.

Steven Roberts, Griffith College

“What we did in the second email was what we should have done in the first. We just asked if people wanted information from us and they thought it was a scam. In the second we explained we were reconfirming because of GDPR.”

The lack of consumer knowledge around legislation created to protect them has been a challenge for all businesses, not just SMEs. Bausor believes this has been at the root of some unintended consequences – namely, turning off loyal customers.

“We have people who have been on the database for years and they simply expect to receive a programme. Some who didn’t do the email sign-up didn’t get the programme and a couple of popular nights sold out very quickly. Those customers were cross that they didn’t get tickets,” Bausor warns.

It’s obvious that most businesses could still use some clarity when it comes to GDPR. After 25 May there is a sense that some further actions need to be taken but no-one quite seems to know what.

“There are a lot of grey areas. I’m not a lawyer but my understanding is that a lot will come down to how GDPR is implemented over the next 12 months and the approach various data protection commissioners take across the EU,” Griffith College’s Roberts suggests.

Bausor concludes: “I suspect there are still many SMEs out there that just don’t know what to do. In terms of an ongoing process, I don’t know what to do. This needs to be communicated because we have only scratched the surface.”