The Consequences of Data Breaches for all Sizes of Organisations
Data breaches can happen to any business. Incidents at large organisations – such as Dixons Carphone, Superdrug and most recently BA, all hit the headlines.
This would give anyone the impression that they are the most frequent targets, when in fact, they are not. Breaches occur most often at small and medium sized businesses for the simple reason that there are a lot more of them. The only reason you don’t hear about them is because they usually involve fewer breached records, and the damage is limited as a direct result.
Of course, there’s little comfort to be had in reassuring customers public that “it was only a small breach”. You might avoid the public humiliation that the likes of Facebook and Equifax suffered after revealing mammoth breaches, but the damage will be proportionate to the size of your organisation. If you breached one in five of your customers’ records, that’s 20% of your customer base that you might not get back again and 100% of customers whose trust you need to win back.
How will GDPR effect a breached business?
Many people believe that they are exempt from the EU GDPR and, the large fines that come with it. They believe this because they are a small business and whilst the regulation does make some allowances for SME’s, none of them is exempt.
The two exceptions to this are certain derogations for businesses with fewer than 250 people and the acknowledgement that defences should be adopted “as appropriate”. This means that larger organisations will be expected to have more thorough defences, whereas SMEs can use simpler methods but the defences have to be in place.
The ICO will take an organisation’s measures into account when determining any fines. It is good practice to make your defences as strong as possible – whether they’re technologies, policies or processes – but you also need to make sure you have the resources to cover and maintain them.