Sophos Cloud Optix
After we published last week’s 2017 to-do list for General Data Protection Regulation (GDPR) compliance, readers asked the question: what, if any, impact does this have on small businesses?
The answer: quite a bit.
GDPR requires that any company doing business in the EU – no matter the size – more securely collect, store and use personal information. And like the big guys, smaller companies face fines for violations that may occur.
But the regulation accounts for the fact that smaller businesses lack the same resources as larger enterprises. UK-based data protection consultancy DataHelp makes note of the differences on its website:
Under the current law, as contained in the Data Protection Act, (DPA), the same rules apply, regardless of the size of an organisation. However, the General Data Protection Regulation (GDPR), which will replace the DPA and which is expected to come into force sometime in 2018, recognises that SMEs require different treatment from both large and public enterprises.
One area of concern for small businesses is the GDPR requirement that companies hire a data protection officer. But, as Incisive Business Media’s V3 site notes, that part is for firms with more than 250 employees.
“Smaller firms may still need to employ someone in this role if handling personal data is core to their operations,” V3’s Dan Worth writes. “This may not have to be a full-time employee, but could be an ad-hoc consultant, and therefore, would be much less costly,’”
DataHelp notes that GDPR includes new obligations and liabilities for data processors, specifically:
- provision of an appropriate level of security
- data breach notifications to controllers
- designation of DPOs
- record-keeping
- direct liability to pay compensation
- policing of controllers and assistance with the controller’s compliance with its security obligations
- breach notifications
- impact assessments and prior consultations with data protection authorities
The requirement that processors take on more of those responsibilities may sound great if you run a small business, but DataHelp offers this bit of caution:
There is a reasonable likelihood that current agreements between controllers and processors will not be compliant with the GDPR and will probably need updating. This gives processors a foot in the door to renegotiate the terms and potentially re-allocate the risks imposed on them by the GDPR. SMEs are often not in a strong negotiating position when buying or selling processing activities with larger commercial enterprises and so care should be taken when such agreements are renegotiated.
Daunting as it all may seem, small businesses can take comfort in this: as long as they can demonstrate that they’ve put their best foot forward to meet the requirements of GDPR, regulators will work with them on any problems that might arise.
The key is to bring in the right consultants and document all actions taken.
For more specifics on what needs to be done, read through last week’s checklist.
I inquired for the DPO (data protection officer) and how the Dutch Privacy Authority sees it at the moment DPO are only mandatory if you are in the business of processing data. Data regarding employees do NOT require you have an DPO.
There seems to be a lot of different answers on the DPO element depending on which organisation you ask within the infosec community. Other companies are stating a DPO is only mandatory for those whose core activity is the heavy processing of sensitive personal data or a minimum of 500 employees.
as a small business owner, I have a simple question. Will something such as an employee receiving company email on their PERSONAL mobile device be against this regulation? We have several employees that use their own personal cell phones to access company email server.