Ask the Expert – Biggest GDPR related risks for SMEs
GDPR is a good news story. In our opinion that is. We’ve already looked at the topic from a commercial perspective together with our friends at Foot Anstey but we do know that GDPR does mean adjustments and a fair bit of rethinking for many of our clients.
With only a few months now until all companies have to become 100% compliant with the new GDPR laws, we wanted to gather and share another practical angle and some more insight, so asked Colin Jupe of local specialist GDPR company VXPartners what he sees as the biggest risks for SMEs.
ADLIB: There seems to be a lot of scaremongering around the heavy penalties companies will face once enforcement hits on 25 May. What’s your take on that?
Colin Jupe: Yes, of course every organisation needs to take steps to comply, but many articles seem to be using the maximum fines for “headline grabbing”, it is highly unlikely that any penalty for an SME will be anything like €20m; the ICO has clearly stated that penalties for breaches will be proportionate, they are not looking to put SMEs out of business if their intentions are good and they can demonstrate they have taken steps to comply. So the message is start taking steps!
ADLIB: May isn’t far away, if companies haven’t started or are at the early stages of this, what do you advise as best starting point?
Colin Jupe: There is still time for most SMEs. But, if you are approaching “GDPR compliance” this late in the day, we advise taking a very practical approach which identifies where the greatest risks are in your organisation and prioritising the remedial work around those areas. Being able to show that you are considering the GDPR and have a plan in place will be viewed positively even if you haven’t completed everything by 25th May.
ADLIB: Talking of risks, what types of threats should small to medium sized businesses be most concerned about?
Colin Jupe: For the majority of companies, the potential risks lie in their processes, procedures and people.
Much is written about the threat of external cyber-attacks; the GDPR puts great emphasis on the security of personal data and most IT suppliers are aware of this and are already advising best practice to ensure IT systems are as secure as possible.
Much less is written about the threats from internal sources – human mistakes or even malicious intent from employees or ex employees.
Examples of breaches of this nature include things such as loss, deletion, alteration, unauthorised disclosure and unauthorised access to personal data, which may arise because we sometimes put less emphasis on managing human processes than we do electronic ones. It is this type of breach that presents the greatest risk to many SMEs.
ADLIB: What can be done to prevent this from happening?
Colin Jupe: Don’t forget that your people are as important as your systems; culture and Employer Brand are as important as IT security. So training (including specific GDPR training), support, motivation and engagement as well as conscious focus on company culture, are essential steps to ensure your people know that they are important, that they feel valued and part of your vision and mission. Key to this is to employ people that are “the right fit”; we know that motivated people tend to make fewer errors, take their responsibilities seriously and feel comfortable being part of a solution if things go wrong. The GDPR principles of fairness, transparency, integrity and confidentiality cover all aspects of your business practices and approaches, your people are essential in delivering them.
Thank You Colin for sharing!