It's fair to argue that small businesses have not greatly benefited from the EU's General Data Protection Regulation (GDPR), which was implemented in March 2018. Additionally, it's not exactly benefiting customers all that much either.
For small business owners, enforcing data privacy regulations resulted in considerable disruption and expenditure. Moving forward, the increased threat of hackers is a concern and expense for business owners. Under the aegis of GDPR, a data breach is sanctioned.
Small firms are required by data privacy rules to allocate a portion of their budgets to constructing effective cybersecurity defenses. Businesses can't expand as quickly as they might be able to without GDPR due to the change in funding allocation.
Furthermore, we should question the GDPR's actual value. Is GDPR actually effective? The answer, according to Wired, is no. Consumer data is still compiled and profitably sold by data brokers. The daily barrage of unsolicited advertisements that arrive in your inbox will let you know this is accurate.
Moreover, the introduction of GDPR was prompted by the misuse of user privacy rights by Google, WhatsApp, Facebook, and Instagram. The tech behemoths were charged with coercing individuals into disclosing their data without getting their informed consent.
The main difference today is that we authorize the usage of tech businesses' services. And we won't be able to use their services if we don't consent. However, they continue to deliver tailored advertisements for their clients, which are businesses, utilizing our data.
In essence, businesses that have acquired data from Google and Facebook are invading our privacy. And how do Google and Facebook generate revenue?
The Impact of GDPR on Your Business
Administrators of the GDPR have recovered fines totaling over 2 trillion dollars. It was claimed that a total of €2,380,276.917 had been collected as of this writing in December 2022.
Companies that are found responsible for a data breach are fined about 2% of their global sales. Penalties, however, are calculated to account for mitigating factors such as whether the cybersecurity measures are sufficient in light of your budget.
However, the GDPR fines are not what render a corporation unprofitable. A data breach must be reported to the impacted parties.
According to reports, 60% of small businesses are compelled to shut down as a result of a data breach. A ruined reputation is the main cause of the forced closure.
More than 100,000 people participated in a Thales poll that indicated that 70% of consumers would no longer do business with a firm that experienced a data breach.
Therefore, the GDPR fine is not the problem. The provisions of the data laws are what harm small enterprises the most.
Furthermore, the Information Commissioner's Office (ICO), the authorities in charge of looking into violations and imposing fines, recently declared that they will concentrate on going after bigger businesses that "cause severe and prolonged harm to individuals."
"We will have additional authority to halt firms from processing data, but we only act when there has been grave and ongoing harm to people...
We now have the potential to pursue larger, international, and occasionally multi-national corporations where' the previous fine of £500,000 would have been insignificant.
This is just partially true. The Meta platforms have received the largest fines. But has Facebook ever informed you that they are breaking the law on data privacy?
And do you still see tailored Facebook ads?
Additionally, there are 1,538 entries on the ICO's Enforcement Tracker, the majority of which are small firms and individuals. Both "insufficient legal basis for data processing" and "non-compliance with standard data processing norms" are used as justifications. The normal range of the fines is €1000 to €100,000.
According to the data, it doesn't seem like the ICO is "going after huge firms" with its financial authority. To the IT behemoth, a 2% fine for Meta is nothing.
However, if everyone realized that Facebook, Instagram, and WhatsApp are selling your data, they would quit using them. The same fate that small enterprises with bad reputations face may then befall Meta.
What Amounts To A Data Breach?
According to the Information Commissioner's Office, the data was in "non-compliance with general data processing principles." A data breach is characterized by:
"a security breach that results in the inadvertent or wrongful destruction, loss, alter-ation, unauthorized disclosure of, or access to, personal data." This covers breaches that arise from both unintentional and intentional reasons. By extension, the loss of personal data is not the only consequence of a breach.
This means that small firms must set up sufficient cybersecurity defenses to keep their corporate networks—and subsequently, customer data—safe from hackers.
Small firms are therefore required to make at least a minimal investment in a variety of cybersecurity solutions, such as antivirus software, VPNs, data encryption software, and multi-factor authentication. Additional options exist.
As a result, it is crucial for small businesses to at the very least spend money on cybersecurity solutions like antivirus software, VPNs, data encryption software, and multi-factor authentication. Additional layers, such as virtual desktops and permissions for cloud-based services, can be added to your network perimeters.
Additionally, you ought to train your team in cybersecurity. People have a 90% greater probability of effectively fighting against cyberattacks if they are aware of the tools and methods utilized by hackers.
Small enterprises that can show they have constructed effective cybersecurity defenses with the funds at their disposal may avoid paying a large fine, provided they comply with Article 32:
- encrypt data
- Ensure ongoing confidentiality and integrity
- ability to restore personal data in a timely manner
- Regularly test and evaluate the effectiveness of security measures
There is some good news for small business owners. Companies with fewer than 250 employees are not required by law to retain records of their data processing activities. You must still take care to safeguard the private information of your clients.
Wrap up
The GDPR is not providing consumers with the benefits that the data privacy regulations are supposed to, according to statistical data and actual proof. We were informed that the goal of GDPR was to stop companies from abusing customer data. That doesn't seem to be taking place. In the meantime, small firms are being penalized and forced out of business.
