GDPR: one size does not fit all

Why mid-market companies face a tougher road with GDPR.

vulnerable gdpr breach security cyber attack
Thinkstock

While much has been written about GDPR’s rules, sanctions, and fines, it appears GDPR is often treated as if its effect is equal to any company regardless of size. On paper, it seems that any company that violates the new data privacy regulation will suffer the same international sanctions. GDPR, however, will not have the same effect on every size company.  For smaller companies, the smallest fine could likely be like a death penalty.

GDPR rules and sanctions

The security sector has certainly had its fair share of breaches. Malware to man-in-the-middle attacks are aimed at getting private data and information. So, when a certain field suffers too many repetitive breaches affecting millions of innocent victims, regulation may indeed be the solution. Unless regulation is implemented to ensure fair public usage, different entities will continue to act as they wish.

The intention behind any regulatory move is usually to benefit the public and ensure its protection. Regulation can be found in any industrial field; it could be meant to prevent a monopoly, provide free and equal access to information, promise the occupational freedom of all men and women, ensure the general safety of the public or workers, etc.

It took a while for high-level regulation to reach the cyber security field and specifically data security. In fact, in 1995, the Data Protection Directive was set to guarantee the safety of personal data on digital and electronic devices. But, after more than 20 years of technology advancements, the digital world of 1995 is no longer relevant -- nor are its rules and regulations. Two years ago, the GDPR (General Data Protection Regulation) was adopted. Beginning in May 2018, it will be enforced in all European Union companies and foreign companies processing data of EU residents. (General Data Protection Regulation (GDPR) requirements, deadlines, and facts)

Why did government step in?

In 2013, a week before Christmas, Target suffered the now infamous data breach that resulted in 40 million credit and debit cards being compromised. There have been other cases of data breaches in public companies beforehand and many more afterward, but this was undoubtedly one of the biggest and most visible. Public discussion about the responsibility models of each company almost unanimously agreed that liability lies with the vendor providing the service. There was also support that this vendor should find proper compensation for compromised customers. When GDPR takes effect, one of its main goals will be to ensure that these incidents won’t happen in the first place. For companies that fall out of compliance with the new GDPR regulation, the penalty could be as high as €20 million or up to 4% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater.

GDPR’s impact: enterprises vs. mid-market

When comparing big and small enterprises and how they will be affected by GDPR, it is helpful to take a closer look at the rules themselves.

Unfortunately, the truth about GDPR rules and fines is that they are too costly for small companies. When a certain level of protection becomes mandatory it means that some players, the smaller ones, will be left out of the game. These rules mean that to keep users safe, we are creating a class gap between the bigger and smaller companies. With bigger budgets, it is easier for an enterprise to work under the new regulation while a mid-market company doesn’t always have the staff, the qualifications, the legal resources, or the general means to move the entire company to a GDPR-approved method. So, while an enterprise is affected to work more securely, mid-size companies will likely fall through the crack and below the security poverty line.

Sanction on a mid-market company could spell doom

For example, take a U.S.-based company conducting only 5% of its business with European customers, it is still obligated to follow GDPR rules. Due to the challenges that GDPR requirements demand of mid-market companies, smaller companies are more likely to fall short and be fined under the new laws. When fined with a minimum of €20 million euros, most mid-market companies will have to seek futile steps, such as abandoning a profitable mobile app or worse --- closing.

Here are a few hurdles to overcome:

Lack of financial resources

The most obvious one of the bunch. Smaller companies have much smaller budgets, and compared to bigger companies, who usually have a “rainy day” savings accounts set aside for cases like this, mid-size companies usually work on the same cycled financed budget.  Bigger companies might also have insurance policies for such cases, which is something smaller companies can’t always afford to purchase.

Lack of in-house legal department

Large enterprises normally invest in in-house legal teams or departments to deal with any issue, big or small. Mid-market companies normally outsource legal work, relying on an expensive hour-based model for legal support. Hence, because of the prohibitive cost involved, they will likely not want to seek a counter defense when accused of violating the GDPR rules.

Technical preparation needed

Preparing for GDPR is not merely a legal issue; GDPR also requires companies to prepare extensive technology-based aspects and establish new policies to adhere to the new strict data privacy laws. Some companies might need to reestablish their entire IT structure while others might just need to purchase additional protection software. This then will typically trigger a rollout and training of the tech team to ensure everyone is up-to-date on all new platforms, processes, and security applications. Completing all these tasks and subtasks takes time and money that most mid-market companies simply don’t have.

Tips mid-market companies can do to survive GDPR

One key way for smaller businesses to survive is to do everything in their power to avoid being out of compliance and being fined. They should make sure all their legal requirements and technical procedures are in place make sure all the right internal teams are educated and up to speed on all relevant aspects. allocating a few hours each week to make sure that the IT department is aware of the forthcoming changes and the technical adjustments required, testing, etc.

Most importantly, the main project for the company’s CISO and/or head of IT department should be to find the tools that will ensure data and privacy protection. To make management easier, a good optimal solution should not only be automatic but also autonomous so that it learns the company’s needs, requiring minimal staff support. If possible, to improve cost-effectiveness and provide optimal security, it is recommended to use one platform for all cloud services, which can scan the users and their devices they use, as well as the networks they are utilizing to connect to the cloud.

This article is published as part of the IDG Contributor Network. Want to Join?

SUBSCRIBE! Get the best of CSO delivered to your email inbox.