The General Data Protection Regulation (GDPR) laws that came into effect in May 2018 mean that all companies, large or small, must know exactly what data they hold on individuals and ensure that they are protecting it securely. It is an advantage to be a smaller company or start-up in these circumstances because they invariably will have fewer customers and therefore less data than a larger company with legacy systems. An older company might have to contend with paper-based information along with technology that consists of stitched-together systems due to company acquisitions and partnerships, making it much easier for a smaller, newer and more technologically-savvy company to be compliant.

The Downsides of GDPR

Larger companies will have many resources to ensure compliance but even though smaller companies will not, they will also not be held to as high a standard either. Well-known companies like Facebook and Google will be scrutinized, as traditionally they have made the sharing of data mandatory when using their products. With GDPR, acceptance for the use of personal data has to be freely given and not related to the ability to use a service, and small companies will have fewer changes to make to be able to take commercial advantage of this.

But it also means that the way some companies work may need to be altered. There are many firms that have relied upon aggressive marketing techniques as a basis for their business plan, for lead generation or even to build marketing databases for targeted ads. With the need for explicit consent for the use of data, these strategies will no longer be as successful as ones that have chosen, for example, a subscription-based business plan.

Specific Issues

Tech Startups – A 2017 survey by Mailjet of more than 4000 start-ups in the US, UK, and France has shown that although almost all of them use customer data, less than 30% were encrypting it correctly. And this doesn’t take into account all the businesses that hadn’t gained explicit consent for the use of an individual’s data. GDPR is the perfect opportunity for forward-thinking companies to make sure that the data they are storing is actually required, that it will be protected securely and the use of it has been authorized by the individual concerned. Aside from the potential fines incurred if found to be in breach of GDPR, this will set prudent and capable companies apart from their contemporaries.

Retail Companies – Many stores use CCTV which will fall under the auspices of GDPR if individuals are identifiable when filmed, so the availability of these cameras will need to be reviewed to make sure their use and any storage of recorded media are compliant. Additionally, this type of business generally holds a great deal of data about the purchase history of customers, loyalty card schemes and contact details. Anonymization is essential when profiling customers using this information, but rationalization and knowledge of the specific information held can also have benefits, particularly the possibility of making the day-to-day processing much more streamlined and efficient.

Manufacturing – Manufacturing businesses will have an assortment of data to collate, particularly when it comes to deciding which information will need to be passed on through the supply chain and which will be superfluous. This thorough data analysis can, however, be useful in improving supply chain management and efficacy.

Hospitality – Personal contact information received without explicit consent will probably be the largest issue for this industry. In fact, rather than work through each and every customer, UK pub, and hotel giant JD Wetherspoon decided to just delete all the personal data it held regardless. Although this is perhaps a little overdramatic it has certainly had the desired effect, with reputation and trust restored after previous security breaches not to mention the free advertising at the time. Completely deleting their customer list may not be ideal for most companies, but certainly making sure that each customer has consented to the processing of their information is vitally important. Going forward, the trust engendered by this will be beneficial and potentially result in a greater number of loyal customers.

Finance – While GDPR will more strictly regulate companies that use data related to health, finance or location, the advent of PSD2 (the Revised Payment Services Directive), which allows 3rd party developers to access data from financial institutions, will be an excellent opportunity for smaller companies that choose to take advantage of it.

how small business compete post gdpr

What Small Businesses and Start-ups Need to Concentrate On


The danger is that some small businesses will not think GDPR is something to worry about, particularly if they currently have no connection with customers in the European Union. There is every chance that some businesses outside the EU will never have any European customers, but if they are successful and grow they may well want to enter into a partnership with a larger company. If that larger company has links to the EU and has made sure that they are fully compliant with GDPR, they will not want to risk a partnership with a small company that isn’t. This may not be an immediate reason to improve security and take care of personal data, but if smaller firms are to be competitive in the marketplace going forward, they have to consider GDPR compliance a must.

Enhancing Your Security  

GDPR has placed greater reporting responsibilities on firms if they now suffer a data breach. Whether it is because of human error or cybercrime they must inform the regulatory authorities in their country within 72 hours, followed immediately by letting any affected customers know. As well as having to flag up the exact problem along with the effects it had and the action they have taken to ameliorate the risks and protect any data in the future, they will suffer the embarrassment of everyone knowing how lax their security procedures were. If customers lose trust in a company because they can’t look after their data, they may well not trust them to look after their money either.

There seems to be a continual rise in cybercrime, whether it is the Wannacry ransomware attack in 2017 or Yahoo admitting all its accounts were hacked in 2013, so extra robust security is never going to be a bad thing. It is potentially harder for larger companies to identify and protect all of their data, but small companies and start-ups should be doing it as a matter of course. It may seem overkill but it is often the smaller companies that hackers target, specifically for the reason that their security may be easier to circumvent. The potential ransom payment, the cost of downtime a company can suffer and the difficulties they then face with getting all their IT infrastructure back up and running can completely ruin an unprepared company. Even if they manage to restore their systems, it will be a long process to restore their customers’ trust. Enhanced security can protect you from being the victim of hackers and it also has the benefit of not only maintaining your reputation but, in the wake of other companies’ mistakes, can improve it as well.

Further Improving Your Reputation 

With customers having more discretion over how their data is used and who is allowed to use it, there will be more demands on companies to prove they are abiding by both the regulations and the requests of individuals. Don’t just wait for your customers to ask how you are using their personal data, and perhaps to revoke permission for its use. Surpass expectations, investigate exactly what data you need and why you need it. Make sure that all sensitive information is protected securely and you will benefit from the increased trust that customers will put in you.

Getting to Know Your Customers  

Never forget that the prime reason for being in business is to provide value to the customer. If you can deliver personalized and meaningful content and products while showing that you respect and protect personal data, it is an opportunity to turn GDPR from what could be seen as just box ticking and red tape into an advantage that allows a company to promote change and transformation. If a customer has trust they are more likely to share even more personal information, which will give that business an advantage over their competitors.

Companies that collect data used to use it as an asset, but post-GDPR it can often be a liability if not treated properly, especially in terms of the GDPR Cookie Policy. By implementing tough data management rules and top-notch security you can satisfy those customers who will now be expecting more from the companies they do business with. Be transparent so they know their demands are being met, and success will naturally follow.

It does take considerable time to evaluate all the identifying data you hold, establish why you require it and how you process, store and secure it, but all that work does have its benefits. Once you have carried out these investigations you will have gained considerable, valuable insights about your customers. These can be put to use in marketing and sales but more specifically into customer service. When you know what makes your customers tick, you are better placed to give them what they want.

Competing Post GDPR

In order to compete with the big boys as well as companies of a more similar size, start-ups and small businesses need to use compliance with GDPR as a major selling proposition and also a strategic opportunity. With more people now aware that they have control over their own data, customer service will be the defining characteristic of successful companies. Social media allows the word of consumers to travel far and wide at speed, and if a company can show concern for its customers, their data and their well-being it can reap dividends. The key is to move fast as this situation will not last. Although it is a marketing novelty now, businesses will need to take advantage of it soon before it becomes commonplace as we’ve seen other governing bodies adoption of similar privacy rules.