How to protect your small business from privacy breaches and GDPR fines

Although almost two years have passed since the entry into force of the European Union’s General Data Protection Regulation (GDPR), the implementation of the appropriate measures for compliance keeps generating confusion and even some myths, mainly for small businesses, including those that rely on the advice of experts in IT security services.

To help resolve some of the most frequent questions on the subject, here are some clarifications, presented from the experience of multiple small companies and nonprofits and charities.

Only large companies, such as Google or Facebook, must comply with the GDPR: Although tech giants are the primary responsible for securing our personal information, data protection is the responsibility of any company or organization properly safeguarding any confidential user and employee information.

Non-governmental organizations (NGA) and small businesses should review their existing data protection policies and update all necessary points to ensure that their current information handling policy complies with GDPR collection, storage, protection and destruction of personal data and storage systems.

The implementation of general policies is sufficient to comply with GDPR: Although multiple public organizations, firms and IT security services specialists agree on most points to be met by companies and NGOs in terms of data protection, it is critical that each organization analyze its own infrastructure, resources and expertise to find the best way to adapt to the legislation.

Consent does not exempt companies from further improvement: Many companies mistakenly believe that users cannot disagree with their data collection policies after they have consented to this process. In addition, companies must remember that consent must be freely granted, in an informed, specific and explicit manner, and that it may be withdrawn at any time.

Charities must also adjust: It is true that some NGOs are not subject to GDPR compliance, although this exemption is reserved only for organizations that process only information from their members or beneficiaries.

This is different when talking about organizations working with other companies or beneficiaries. In these cases, NGOs must register with the country’s data protection authority, as mentioned by the IT security services specialists.

GDPR compliance never ends: Information security is an ever-moving world, so small and medium-sized enterprises, plus nonprofits, must conduct consistent security assessments on an ongoing basis to ensure that their policies and procedures are not over the over reality, becoming an easy prey for threat actors. According to the experts of the International Institute of Cyber Security (IICS), this update work must be carried out at least every two years.