Why small companies need to pay attention to the GDPR

When the EU’s General Data Protection Regulation (GDPR) comes into force on May 25 2018, it marks the beginning of a new era in corporate data security. The GDPR will apply to all companies that hold data on EU citizens, but so far most of the attention has been focused on large concerns and how big businesses will respond to a new set of strict data rules.

In reality, it might be even more interesting to take a look at the other end of the spectrum. Most large corporations have the technical and legal know-how to adjust to a new set of rules. Small companies, on the other hand, don’t necessarily have the organisational structure to rely on, when trying to prepare for the GDPR.

The Register has written an interesting article about small companies and why they need to pay attention to the GDPR. There might be a lingering feeling that the GDPR is a matter between EU and big international corporations. But the fact is that subjects such as consent, the right to erasure and data portability are just as important to small companies as to the large ones.

Challenges for small companies

Some of the procedures that companies need to have in place to comply with the GDPR are erasure and portability.

The ‘right to erasure’ implies that customers can withdraw consent, so that companies would have to delete any information they hold about them.

Portability, on the other hand, implies that customers might ask for a copy of their data as opposed to deleting it.

Both concepts could pose a serious obstacle to small companies. The Register explains:

Portability and erasure could be tricky issues in a small business for both technical and organizational reasons. Firstly, they may not have the same kind of formalised process for handing data that some larger companies do. If your customer data is scattered across a selection of network folders, databases and individual PCs, you’ll have a tough time retrieving it for one customer. Now imagine if you get ten requests in a week.

Governance on the horizon

There is also a more general concern: That small companies don’t have the necessary organizational capacity to comply with new standards on data security and privacy:

Organizations must take technical and organizational measure to show that they have made their data processing compliant with the concept of privacy by design. GDPR specifically mentions encryption and pseudoanoymization – the process of separating personally-identifiable information from other data attributes to avoid security risks – as a means of achieving these design goals.

If a small business has been winging it without a grown-up IT department, they’ll need to source this technical expertise from somewhere to tackle these GDPR requirements.

Preparation is key

There is no question that small companies will have their work cut out for them in trying to comply with the GDPR. The trick is to have the right processes and technological devices at hand. This includes software that can help companies monitor how data is processed.

And also just, you know, understand that the GDPR is happening. The Register references an interesting survey conducted by cybersecurity consulting firm NTT. The survey finds that only 39 percent of UK companies realised that they are subject to the GDPR. To know that the GDPR exists is definitely the first step to compliance.