GDPR: The risk of non-compliance for small businesses

Let’s be clear: when GDPR comes into effect in May, we’re not suddenly going to see hundreds of small businesses slapped with crippling fines. The Information Commissioner’s Office (ICO) has tried its best to tone down the rhetoric around penalties, emphasising that enforcement will be ‘fair and proportional’.

It could also be reasonable to assume that larger companies are likely to come under scrutiny first, and that smaller firms will be lower down the ICO’s list of priorities.

As a result, larger companies appear to be making headway on GDPR compliance, while some SMEs may think they will fly under the radar for a while after the May deadline.

But this may not be the case.

If a breach occurs and the regulator sees that there’s been little or no attempt to improve data protection practices, that’s where the harsher penalties will occur.

Moreover, as larger companies become more secure as a result of taking steps to comply with GDPR, smaller businesses can become more attractive to hackers as they are seen, relatively speaking, as an ‘easy target’.

They often have less resource to allocate to cyber security and are less likely to have in-house expertise, and from a hacker’s point of view, they could still offer criminals a gateway into the supply chain of a much larger organisation.

This means they are just as likely to be the victim of a hack that could draw the attention of the ICO.

As such, there are some key considerations SMEs should factor in to their approach to GDPR compliance and cybersecurity generally.

GDPR contains some very specific rules around gaining consent from the people whose data companies hold. All businesses need to develop an understanding of what customer information they hold, what it is used for and, importantly, whether it is necessary to keep it. This will help them to be more efficient in the way they use data, particularly valuable for time-poor SMEs.

Secondly, businesses should avoid rushing into large-scale investment. For a small company with finite cash flow, compliance could be a costly proposition if they have not taken the time to understand the ICO’s guidance. This will be far less-effective than a measured, well-researched approach, and some requirements may not even be applicable to smaller businesses.

Finally, it’s important not to view ICO as the enemy. It has published a lot of useful guidance that can help SMEs understand the complex requirements of GDPR. Taking advantage of this assistance and seeking external advice can be incredibly useful, especially for small companies that might not have an abundance of cyber expertise in-house.

GDPR, and the cybersecurity threats it’s there to combat, apply to all businesses, big or small.

All business must get their ducks in a row. But for SMEs, simply understanding exactly what is required of them is a significant first step towards being compliant without investing a disproportionate amount of time and money.


By Andy Barratt, UK Managing Director, Coalfire

GDPR Conference Europe: GDPR Sprint, 4th May at NatWest HQ, 250 Bishopsgate has been designed to aid small businesses who are yet to complete their preparations for the regulation.  Book your tickets here.

The inaugural Data Protection World Forum (DPWF) was held on November 20th & 21st 2018 at the ExCeL London and welcomed over 3,000 delegates seeking the very latest insight on data protection and privacy.

Pre-registration for DPWF 2019 will be opening in the coming weeks.