GDPR: One Size Does Not Fit All
With GDPR imminent, it is becoming more and more clear that smaller organisations will find GDPR a bigger mountain to climb. Dror Liwer, Chief Security Officer of Coronet, recently wrote an insightful article in CSO, raising awareness of the ‘sledgehammer to crack a nut’ nature of GDPR.
We’ve said this plenty of times before … GDPR is imminent. It’s happening. We’re embracing it. Companies large and small are working hard on compliance. The new regulation is destined to prevent personal data being misused and to protect the individual.
But at what cost to business?
Any company which violates the GDPR will face penalties, significant penalties. On paper, the effect of the legislation is equal for any company regardless of size. In reality, for smaller companies there is little equity in the sanctions. Even a small fine could be a death penalty. Smaller companies, which, by their very nature and infrastructure, are less equipped to prepare for GDRP, are those that will suffer the most impact should they be caught napping on the personal data front.
Why did government step in?
Protection of the public and its personal data is paramount. The last few years have seen a plethora of data breaches and governments across Europe, and internationally, want to prevent such occurrences. Therefore, one of the main goals of GDPR is to ensure these incidents won’t happen in the first place. Penalties for failing to prevent data breaches could be as high as €20 million or up to 4% of the annual worldwide turnover of the preceding financial year, whichever is greater. Large enterprises have the breadth, scale, and budgets to develop GDPR compliance. It’s a costly exercise and one which for smaller companies might be prohibitive.
Liwer suggests that GDPR could create a class gap between bigger and smaller companies. “With bigger budgets, it is easier for an enterprise to work under the new regulation while a mid-market company doesn’t always have the staff, the qualifications, the legal resources, or the general means to move the entire company to a GDPR-approved method. So, while an enterprise is affected to work more securely, mid-size companies will likely fall through the crack and below the security poverty line”. Heavy sanctions on small organisations could spell certain closure.
Smaller organisations face many hurdles in their quest for GDPR compliance:
Lack of financial resources
Lack of in-house legal department
Technical preparation of IT infrastructure
Establishment of new policies and parameters
How can smaller organisations survive GDPR? Every organisation which either controls or processes personal data now needs to do everything in their power to avoid being non-compliant and being fined. Every legal necessity, every technical aspect, every new piece of software or modification to existing platforms should be in place to ensure data privacy and protection. All staff and departments should be educated and informed and singing from the same hymn sheet.
The GDPR isn’t as terrifying as you might think, and if you still need help to banish your GDPR monsters, take a look at this great article from the DMA.
It’s not an easy task, but it’s possible. Take advice, contact the ICO, talk to the DMA. Attack compliance in bite sized chunks and you’ll make progress. What is certain is that if you haven’t got your GDPR ducks in a row by now, you’re running out of time.