Next week the European Union will officially bring into law the General Data Protection Regulation (GDPR) to give people greater control over any data a business may hold on them. This is an important reform. But the EU has introduced an enormous and untested amount of legislation that is making the transition onerous and burdensome for small business; to the point where it has become a guessing game.

The GDPR provides a single set of rules for all EU member states to ensure uniform compliance and carries strict data protection requirements with severe penalties for non-compliance— including fines of $25 million USD or up to 4 per cent of worldwide annual revenues, whichever is greater. The regulation doesn’t just apply to EU organisations, it also applies to organisations based outside of the EU, if they process personal data of EU residents.

If any company operations incorporate the data of individuals living in the EU, then the GDPR will be in effect for the organisation, whether the organisation resides in the EU or not.  Maintaining appropriate data collection and privacy processes is paramount. Consent must be explicit with transparently worded agreements.

As part of this consent the GDPR mandates it must contain the individual’s “right to be forgotten”, allowing data subjects the right to control how their data is to be used up to it being returned or deleted.

In plain English, no company operating within the EU is allowed to keep anything that identifies you, without your explicit consent. If you have signed up to a shop mailing list, that shop must now ask your consent to continue sending you information on sales, consultants must now ask their clients to continuously store their information and even for the overly cautious, should you give your business card to someone, they must send an email after the point confirming you consent to them using the information.

In the words of Julia Hobsbawn, a visiting professor at the Case Business School at the University of London, “it’s not an operational headache, it’s an operational and logistical migraine.”

Companies are beginning to feel the pressure to be compliant with the legislation by next week. There are small companies dedicating hundreds of billable hours to ensure data is compliant with the new legislation. Let alone the bigger corporates; which will include hotels, government departments and banks, whose databases will be extensive and will require months worth of work, which will include hiring new staff, getting legal advice, communicating changes, establishing new systems and deleting data.

What is equally confusing is that there is no legal precedent for the changes and lawyers themselves are not fully aware of what the future will bring.

Nevertheless, preparing for the GDPR has become a small industry. Legal firms are making a mint out of workshops, courses and downloadable information. This may be fine for a big corporation but for a small business where every penny counts, these additional costs have an enormous impact.

Such a cost may be worth it if you are getting completely correct advice but because lawyers aren’t entirely clear how the EU will interpret certain situations, hefty legal costs may not even provide the correct answer for some businesses. Given how large the fines are if a company is found to be non-compliant, the stakes have never been higher and small businesses are starting to feel the pinch of this legal uncertainty.

A survey conducted by specialist insurance broker Ecclesiastical has discovered that the legislation is already beginning to take its toll on small businesses. The survey found that 90 per cent of insurance brokers felt that too much legislation is being introduced in too short a time frame.

72 per cent of the 250 brokers surveyed felt that there are too many regulations to comply worth and 82% felt that the benefits of the changes are unlikely to match the resource to comply.

The world of advertising has also formed a bitter bias against the EU. Mediums such as email marketing are almost certainly to be wiped out by these changes. Advertising agencies and media companies must now consent to use data sourced from publishers and advertisers in order to keep running their ad services — a tough thing to do without a direct relationship with users. Already the EU is seeing a flood of international firms begin to look beyond the EU to places with less of a regulatory burden.

Of course the European Union must create some form of legislation to address the issues around data protection. Too many breaches have occurred within recent history that prove that the pace of technology has outstripped the pace of legislation. But the EU cannot turn a blind eye to some of the consequences of this wave of enormous legislation. The lack of legal precedent and the pure amount of work required has meant that the GDPR has become a burdensome guessing game and small businesses will be the ones to lose out.