Who is most at risk from GDPR: Part Two: Effects on small and large enterprise
Part two, of this blog post from me looks into GDPR with further details and specially the effects of risk on small and large enterprises. Read on to learn more…
Large firms may have larger excess capital to allocate to data protection, however the complexity of business systems through increased scope over time and additional variables such as integrating systems from acquired companies can lead to a nightmare in navigating and protecting data in the infrastructure.
Companies with a larger number of decentralised systems can leave themselves with a long checklist for a single right to be forgotten/right to access request as opposed to having a centralised query across all business documents.
There is the additional risk of having to manage large volumes of unstructured data and anything exported from a system containing personal data and shared across an organisation can be a potential risk. This can go as far as reviewing the contents of email attachments between departments and third parties.
With the barrier to entry constantly lowering for web based businesses (enabled by our increased reliance on technology, increase in freely available learning resources, low-cost hosting and free open source tools) small and micro businesses that reside primarily on the web are becoming common place.
These small firms may have less complex systems than giant corporates, but can have a different set of risks entirely:
- Due to the inherent data driven nature of web based business they are likely to collect more data compared to their size than a business that is predominantly offline.
- Lower access to capital may mean they have less to invest in cyber security than their larger competitors, leaving them at risk from malicious breaches.
- Many firms collect and package personal data as the product itself and as such they must ensure proper data anonymization and have a thorough understanding of the permission they need to ask of their customers, especially in the distribution of their personal data to third parties.
- Firms that rely on revenue from B2C sales may expose themselves to higher volumes of customers and therefore greater potential for multiple requests from disgruntled customers churn.
- For small operations, data requests may interfere with the day to day running of the business and therefore the ability to deliver products and services to existing customers.
It’s quite easy to assume that GDPR is only relevant for your HR and CRM system. This is far from the truth.
Upon analysing financial systems there can be numerous instances of personal data stored from information owners of past employees, to stored bank details. All systems have the potential to cause GDPR risk.
Analysing a business’s GDPR compliance is not a one-size fits all exercise.
Most firms across all sizes and industries are unlikely to be ready for the deadline, but those that show a competence and effort to align their processes to be GDPR compliant now, will reap the benefit of mitigated risk in the long run.
GDPR is not a necessary evil, it’s a long overdue update of the legal consequences of poor data management in line with the required ethics of the 21st century.
With the increased realisation of the value of data, negligent management of personal data needs to be seen in the same light as negligent management of individual’s investment, life savings or health and safety, all areas that are more socially accepted as corporate responsibility.
If you have any doubts about your company’s readiness for GDPR Itelligence offer a GDPR health check to analyse areas of potential risk data and help you make changes that ensure your customers, employees and any other third parties can rely on you to look after their data.