The cost of GDPR
A recent article in The Times suggested that small companies run the risk of hefty fines when the General Data Protection Regulations, or GDPR, come into force from next May.
Unfortunately, there’s little clarity at this point as to the size of those fines in relation to most small businesses.
It seems ridiculous to think that a business with a global turnover of £10m would be fined £17.5m -which is the maximum possible fine for a company of that size based on the fact that it would be greater than 4% of annual turnover.
But who knows?
And if the non-compliance relates to loss of highly sensitive or financial information that could cause major damage to the individual, then perhaps the intention is to put the companies at fault out of business?
At this stage, with less than a year to go, what’s important is to understand the likely cost of compliance.
The chances are that will be related to the level of risk.
And in that respect it’s no different to insurance – it’s a necessary cost but you hope that disaster will never strike.
Or you view it as similar to complying with the Health and Safety at Work Act – i.e. if your people operate heavy machinery on a daily basis, the risks are greater than if they spend their day at a desk.
The level of risk in relation to GDPR is primarily focused around the amount of Personally Identifiable Information (PII) you hold and what you do with it.
All businesses hold some personal information, even if that just relates to the details of their employees.
Some will hold large quantities on customers and that might include financial details or information on health, living arrangements, family, etc.
In both cases, it’s essential to understand what you hold, be clear about what you will do with it and ensure that it is safe and secure. And if the worst should happen, you need to be able to report on the details of any data breach, what has been divulged, what was in place to prevent it and how it might have happened.
The good news is that technology can help.
In our forthcoming GDPR roadshows, future webinars and upcoming blogs, we’ll cover four key areas: discover; manage; protect; and report.
How much you’ll need to invest in technology will depend on your level of risk, the complexity of the data, how it is processed and who has access to the data.
The first challenge is often knowing the extent of the data you hold and we’ll cover that in the next blog.