Many small firms are still unprepared for GDPR

Author: Olly Jackson | Published: 2 Mar 2018
Email a friend

Please enter a maximum of 5 recipients. Use ; to separate more than one email address.

The General Data Protection Regulation (GDPR) comes into effect in fewer than 100 days, yet a number of European businesses are worried that they will miss the May 25 deadline.

The GDPR is the most wide-ranging European data regulation to date. Organisations doing business in the region must be able to demonstrate there are procedures in place for storing data and that there are contingency plans for any data breaches that may arise. The regulation significantly raises the maximum possible fine for a data breach to up to €20 million ($24.4 million) or four percent of global turnover, whichever is greater, over 10 times the current levels. Analysis found that fines against British companies last year would be £69 million ($95 million) under GDPR, rather than the £880,500 imposed under the Data Protection Regulation 1998.

GDPRClient concern

Mayer Brown partner Oliver Yaros told IFLR a lot of clients are concerned.

"Many of them did not realise it was a big issue, but now they realise it is something they need to address," he said. Big firms will typically have a dedicated regulatory and legal team in place and are therefore expected to be more prepared than smaller ones. Yaros said these firms have generally done their mapping now and are amending their contracts accordingly.

However, those that do not have the internal resources necessary or a budget large enough to hire more internal support may have realised this is an issue too late.


  • Many businesses, particularly SMEs are concerned they will miss the May deadline for GDPR;
  • Third party obligations mean data controllers could be held liable for data breaches arising from companies that they handle data for. This is considered to be the most challenging aspect of GDPR;
  • GDPR is likely to result in companies reducing the amount of data they hold and means it will become harder to monetise data.

February survey by the Federation of Small Businesses has found that less than 10% of small businesses have completed preparations for GDPR and a third have not even started preparing at all. For a regulation that is so wide-reaching, a three month-window does not give companies a lot of time to implement the necessary changes. A particularly troublesome effect of GDPR that makes the regulation so wide-reaching is that it requires organisations to impose obligations on the third parties they deal with. 

Yaros said this is a very labour-intensive exercise, and has forced firms to hire internal people and get external legal support.

"Successfully negotiating the new obligations that third parties are going to adhere to is probably the most challenging aspect of GDPR," he said.

Most third party suppliers are now realising that they need to provide explanations to their customers on how they will comply. A written contract needs to be in place when a controller appoints a processor or a sub-processor, and all three parties could all be found to be liable for a data breach (controller, processor and sub-processor). 

Controllers will ultimately be responsible for ensuring personal details are processed according to GDPR obligations, unless they can demonstrate that they are 'not in any way responsible for the event giving rise to the damage’. It is unclear what requirements need to be met to satisfy this and regardless the exception seems to provide a rather high bar to reach.

Third party obligations

Mathew Lewis, co-head of Axiom’s global banking and regulatory practice, said the impact on third party vendor management may take some time to play out.

"Regulators have been raising the bar on vendor risk and compliance management in financial services for some time," he said. "Some companies may not have the patience and resources to do full blown data privacy and information security reviews on smaller firms."

recent survey of Irish directors by the Institute of Directors Ireland reported that one-third are concerned with GDPR compliance costs and these costs are likely to disproportionately hit smaller companies who need more legal expertise to become compliant. 

It has been widely reported that data could become the most valuable commodity available to businesses, but GDPR now seems to make it more a liability than an asset. Businesses can only hold data if there is explicit permission granted from the subject and if it is being used for a specific purpose. The data industry could be disrupted as a result and Lewis believes there will be a shrinkage in the amount of personal data held within financial services.

"This will limit the ability to commercialise this data or turn customers into conscious participants in monetising data," he said.

This of course, will damage those companies that actively use data as a business asset. The new Payment Services Directive (PSD2) intends to make the banking sector more competitive and increase data sharing between traditional banks and fintechs, but GDPR could be an obstacle. Traditional banks must provide account information service providers (AISPs) access to the account information of customers and banks even could become an AISP if they wish, but GDPR is unlikely to encourage them to do so. Now fines for data breaches are much higher and easier and the bar for liability has fallen considerably, banks will not be encouraged to hold more data than necessary.

"Some companies may not have the patience and resources to do full blown data privacy and information security reviews on smaller firms"

How will it be regulated?

It is difficult to speculate on regulators’ future actions. In financial services there has been flexibility and regulatory forbearance granted for the European Market Infrastructure Regulation and the new Markets in Financial Instruments Directive (Mifid II) over the last year, but European regulators have not hesitated to levy substantial fines - in excess of a $1 billion - in the last few months for anti-competitive practices. This inconsistency makes it difficult to predict how EU regulators will approach the new data protection regime.

For data controllers’ third party relationships with data processors, Lewis has focused on providing clear contractual certainty.

"It has not been as easy for clients as they first expected," he said. This has meant millions of existing documents have had to be updated and new ones formed to establish a clear legal relationship with all data processors.

This is a very long, expensive and complex process, particularly for small firms. For many businesses yet to complete their preparation, they are in a race against time, and for some that have only just started it may be too late to meet the May deadline. Time is running out.


See also

PRIMER: General Data Protection Regulation

Cyber Security and Risk

Cyber and regulation key obstacles to fintech innovation