News alerts about data protection always seem to indicate that something has gone terribly wrong. From electronic toy makers and nationwide delicatessens to popular insurance providers and ride-sharing services, the frequency and enormity of data breaches have prompted a global call for stricter data privacy protections and increased transparency on data use.

For the European Union (EU), the General Data Protection Regulation (GDPR), which comes into effect on May 25, 2018, is the answer to this critical concern. Perhaps the most significant update to data protections in 30 years, the 99-article ruling imposes penalties so severe that non-compliant businesses could lose the greater of €20 million or four percent of global annual turnover and the privilege of processing data.

Obviously, the larger the business and data volume, the higher the risk for HR organizations. But what about small and midsize businesses? Will the GDPR be a moment of awakening for their HR organizations too?

How the GDPR Affects the HR Function in Small and Midsize Businesses

HR not only handles personal data on employees, contingent workers, and candidates; they also play a big role in educating and training the entire workforce on what the GDPR entails, what counts as personal or even sensitive information, how to handle that data, and what their rights are as well as those of their customers. This means that HR plays a critical role in building a culture of compliance throughout the organization – and being a data privacy role model to all.

The GDPR casts a wide shadow of concern on any business with EU interests, holdings, customers, employees, candidates, and other touch points. Thanks to rising adoption of business collaboration, cloud computing, and mobile devices, small and midsize businesses have a global workforce reach that could likely qualify them for required compliance.

Take, for example, the new guidelines for consent and for data breach notifications. Companies must communicate to their employees and applicants in detail how long data will be stored, where it will go, and how to request information and deletion. Plus, they must contact the proper data protection authorities within 72 hours after awareness of a data breach that could risk the privacy rights and freedoms of individuals.

Unfortunately, manual, ad hoc business processes will not be able to keep up with GDPR requirements, compared to highly systematized and automated operations. Smaller businesses will inevitably find it challenging to determine every touch point of personal data, leading to potential issues in ensuring proper protection of personal data and prevention of accidental exposure to unauthorized access. Plus, as the competition for data protection officers and people well versed in data security intensifies, smaller organizations may not be able to hire and retain employees with the right skills.

From a Regulatory Burden Emerges Competitive Opportunity

To handle GDPR obligations, 77 percent of companies plan to allocate US$1 million or more on GDPR readiness and compliance efforts, according to a recent survey by PwC. Meanwhile, 68 percent indicated investments between $1 million and $10 million and nine percent expect to spend over $10 million.

For smaller businesses that do not have the same budgets and staff size of their much larger competitors, GDPR compliance can be quite overwhelming and unwieldy. But at the same time, they operate with a distinct level of agility that allows them to evolve their business processes faster to meet strict data protection and privacy regulations.

For example, without the same bureaucracy often found at larger enterprises, recruiters at smaller businesses can more quickly adopt cloud-based technology to strengthen, streamline, and automate consent, purge, and anonymization capabilities with applicant data. This approach proves to prospective employees that the business is focused on prioritizing data privacy and adding value to every individual interaction.

For HR leaders, GDPR compliance brings an opportunity to help these businesses level the playing field with their larger competitors. From finance, security, and risk management to sales, marketing, and customer service, organizations can evaluate the bigger picture and view regulatory compliance through the lens of the business’ future direction. Companies that recognize information as a strategic asset in their daily operations are positioned to gain 46% higher revenue growth and enable automated and continuous management of controls to cut audit cycle time by 50%.

It’s Time to Get GDPR Compliance Right – No Matter How Small the Business

Any business that wants to stay competitive needs to adapt to our increasingly digital world. Although the GDPR initially appears to be a burdensome, unavoidable cost, small and midsize businesses can use data protection as a catalyst for harnessing the full value of their data and channeling resources into the right areas to gain digital leadership and consumer trust.

Consider GDPR as a valuable investment for the future of your business. Read our white paper, “GDPR compliance: Where do I start?,” to explore how SAP SuccessFactors solutions and services can help fast-track business success with GDPR compliance.

Edith Bevers is head of SAP SuccessFactors EMEA North