The two year GDPR transition period expires and the regulations officially go into effect on May 25 of this year (2018). Naturally, a lot of businesses have a lot of questions….and a popular one we get from of our small and medium size clients is:
Do we need to be GDPR compliant right away, or at all, given the size of our company?
These companies assume that since the EU has hundreds of millions of citizens but finite resources, making the likelihood that their small or medium-sized company will be investigated or prosecuted slim, whereas the larger enterprises are much more vulnerable.
When I hear this, I like to give an analogy about the IRS. Like the GDPR, the IRS requires you to do your taxes every year, and the likelihood of your small or medium company being investigated is very small because there are millions of businesses in the US. The IRS would also most likely target larger businesses or organizations. However, even with a low risk of being investigated by the IRS, almost all businesses still make sure they follow IRS regulations and protocol, fearing fines and other repercussions.
So, do you need to comply with GDPR, even if you’re a small-to-medium sized business? The answer is yes. You should give GDPR equal importance as you do with the IRS for a few different reasons:
1.The chances of being investigated are so much higher under GDPR vs the IRS because your customers, which make up a large part of your business environment, can report you if they see discrepancies to their personal data.
In comparison, it’s safe to say your customers don’t really know your tax situation…..which significantly reduces the risk of getting reported to the IRS by your customers. It takes only one user complaint to open up a case, putting you on the radar, and before you know it, they will be knocking on your door.
2.The second reason is, which might be even more important than the first, the fines, which can harm your organization’s reputation, and in serious cases, be up to 4% of your annual revenue or 10 million euros (whichever is higher). Fines of this caliber can quickly immobilize any business, large and small.
3. Finally, it’s just a good idea. Following the standards the GDPR lays out is a great way to safeguard your organization and build more trust with your customers. What the GDPR outlines are simply good business practices.
When push-comes-to-shove, even though GDPR is still in its early phases, has finite resources, and you are not a behemoth, you still need to abide by GDPR standards if you collect or process data of EU Citizens.
To learn more about GDPR compliance, click here to find multiple learning paths for various roles in any given organization.
CyberTraining 365 is an online academy that offers nearly 1,000 hours of relevant and cutting-edge cybersecurity training. Our training provides the most in-demand industry certification prep courses including EC-Council, CompTIA, (ISC)2 and Cisco; all taught by leading cyber security experts. All of our offerings are aligned with the national initiative for cybersecurity education (NICE) and ensure the most up-to-date information for this constantly shifting field. With engaging content in a scenario-based format, CyberTraining 365 uses bite-sized micro-learning methodology that ensures learners are not overwhelmed with information. On Demand, LMS platform has white-label capabilities ideal for internal training purposes.