GDPR: The risk of non-compliance for small businesses

Let’s be clear: when GDPR comes into effect in May, we’re not suddenly going to see hundreds of small businesses slapped with crippling fines. The Information Commissioner’s Office (ICO) has tried its best to tone down the rhetoric around penalties, emphasising that enforcement will be ‘fair and proportional’.

It could also be reasonable to assume that larger companies are likely to come under scrutiny first, and that smaller firms will be lower down the ICO’s list of priorities.

As a result, larger companies appear to be making headway on GDPR compliance, while some SMEs may think they will fly under the radar for a while after the May deadline.

But this may not be the case.

If a breach occurs and the regulator sees that there’s been little or no attempt to improve data protection practices, that’s where the harsher penalties will occur.

Moreover, as larger companies become more secure as a result of taking steps to comply with GDPR, smaller businesses can become more attractive to hackers as they are seen, relatively speaking, as an ‘easy target’.

They often have less resource to allocate to cyber security and are less likely to have in-house expertise, and from a hacker’s point of view, they could still offer criminals a gateway into the supply chain of a much larger organisation.

This means they are just as likely to be the victim of a hack that could draw the attention of the ICO.

As such, there are some key considerations SMEs should factor in to their approach to GDPR compliance and cybersecurity generally.

GDPR contains some very specific rules around gaining consent from the people whose data companies hold. All businesses need to develop an understanding of what customer information they hold, what it is used for and, importantly, whether it is necessary to keep it. This will help them to be more efficient in the way they use data, particularly valuable for time-poor SMEs.

Secondly, businesses should avoid rushing into large-scale investment. For a small company with finite cash flow, compliance could be a costly proposition if they have not taken the time to understand the ICO’s guidance. This will be far less-effective than a measured, well-researched approach, and some requirements may not even be applicable to smaller businesses.

Finally, it’s important not to view ICO as the enemy. It has published a lot of useful guidance that can help SMEs understand the complex requirements of GDPR. Taking advantage of this assistance and seeking external advice can be incredibly useful, especially for small companies that might not have an abundance of cyber expertise in-house.

GDPR, and the cybersecurity threats it’s there to combat, apply to all businesses, big or small.

All business must get their ducks in a row. But for SMEs, simply understanding exactly what is required of them is a significant first step towards being compliant without investing a disproportionate amount of time and money.


By Andy Barratt, UK Managing Director, Coalfire

GDPR Conference Europe: GDPR Sprint, 4th May at NatWest HQ, 250 Bishopsgate has been designed to aid small businesses who are yet to complete their preparations for the regulation.  Book your tickets here.

European Data Protection Summit will take place on June 3rd in Central London and will play host to 800 DPO’s, Security Professionals and senior business decision makers looking for; information, updates, clarity, advice and solutions. For more information, visit the website.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.