The Hurdle of Privacy Compliance for the Small and Medium Sized Business

Protect your business and read more about cybersecurity and privacy tips on our blog.

In recent times, it has become public knowledge of the increasing data protection and privacy claims made on businesses of all sizes. A situation that is due in part to an increase in both regulation and consumer awareness on how businesses should handle and process data. To complicate things further, the additional requirements of the General Data Protection Regulation (“GDPR”) has also increased the risk of claims.

While flow of personal data across national boundaries has facilitated commercial prospects of businesses, it has at the same time raised concerns of privacy of personal data. A lack of standard laws relating to data privacy has made it difficult for businesses to ensure that they are not in breach of any law across jurisdictions. An advantage that smaller businesses have in this regard is that they are more compact than larger organisations and their processes are more agile. Small businesses are therefore in a better position to ensure compliance in comparison to large organisations who are grappling with the GDPR requirements.

A recent study about privacy claims made on businesses, suggested that 61% of data breaches affect organizations with fewer than 1,000 employees. To get an insight as to why SMEs are increasingly affected by data protection related claims, it is important to understand what their obligations are.

Thus, it is because of such data protection legislation that claims for misuse of information and breach of confidence are often made. In such a case, a claimant must show that the information disclosed to a third party without consent is private or confidential in nature. In fact, the claimants do not need to show that there was any financial loss and are able to claim damages for the breach and for any distress and anxiety experienced.

Unlike large corporations who have who have comprehensive policies and procedures in place and are quite conversant with their privacy obligations, SMEs by their very nature, often do not have this luxury to benefit from. Some SMEs may not even be aware that they are data controllers or be aware of their requirements to register with the regulators or comply with data privacy regulations. Nonetheless, SMEs usually retain a substantial amount of personal data and/or sensitive personal data.

SME owners and directors can also be held personally liable in relation to these claims, in certain instances. Business owners are often expected to be aware of the need to ensure the company complies with its data obligations. Any failure by the SME’s management to ensure a business has adequate procedures in place and that it has complied with relevant regulations could result in a claim by the business entity or other shareholders against the managment.

Compliance with data protection laws is a challenge for organisations of any size. But small to medium-sized enterprises (SMEs) have to tackle compliance with limited budgets and a small IT team.

The following are the main regulations that businesses need to consider.

Data Protection Act

The Data Protection Act (DPA) is the starting point for all UK data protection rules. In fact, it is the DPA that makes the EU’s GDPR part of UK law. As such, the DPA was updated in 2018 when the GDPR came into force. It is a common misconception that smaller companies are exempt from the Data Protection Act. They are not.  But any organisation that stores or processes personal data needs to deal with the DPA, whether that data is stored locally on a simple server or hard drive, in a cloud service, or on an employee’s laptop.

General Data Protection Regulation

The GDPR brings the EU’s rules for data protection and compliance up to date. The regulation works as a set of principles and does not tell organisations how to be compliant at a technical level. It is down to SMEs to find technical solutions, and to demonstrate that they are keeping with GDPR principles and obligations.

Furthermore, the GDPR introduces some significant new rights for consumers, including the right to be forgotten, and some specific requirements for businesses, such as compulsory breach disclosure and, of course, much higher fines (up to 4% of global turnover). Research by IDC has found that the right to data portability set out in the GDPR has caused the most pain for SMEs.

Keeping personal data records on unencrypted media, even if kept under lock and key, or keeping it in the clear in the cloud, will not satisfy the regulators. Ensuring data is encrypted in transit and at rest and that only specified and trained staff can handle the files will show that a firm has tried to keep up with the law.



The PCI-DSS standard covers all organisations that handle payment card transactions. Banks will suspend card payments for companies that fail to follow the standards. And if a business suffers a data breach, it must be able to show it has followed the PCI standard for payment information.

PCI-DSS is far more specific than principle-based regulations, such as the GDPR. As such, it is a good starting point for smaller businesses looking to improve their data storage compliance.

Other industry specific regulations include HIPAA, Privacy and Electronic Communications Regulations, and SMEs in specific industries will need to comply with additional regulations. For healthcare organisations, the US-based HIPAA (Health Insurance Portability and Accountability Act) is a good proxy for the safe handling of patient or customer data, although it is not a substitute for following the DPA and other UK laws.

The Privacy and Electronic Communications Regulations (PECR) may be less focused on data storage but cover issues such as the use of data for marketing, securing communications services, and holding billing and location information for communications.

Additionally, firms will also need to address any regulations imposed on them by customers and, more rarely, suppliers. These can range from rules around the handling of classified government data, to protecting commercially confidential information. Businesses such as financial advisers, law firms and PR consultants need to be mindful of confidential data and ensure that files are stored – and shared – securely.

Staying compliant

A further challenge for small organisations is that laws and regulations are not static. Businesses also need to plan for legal research or regulatory investigations.

The following are some steps towards and remaining compliant

  • Data encryption and confidentiality – Businesses should have technology to ensure personal data collected is stored in encrypted form and also have internal mechanisms to guard against misuse by unauthorized access.
  • Data minimization – purging the unnecessary data which is not required.
  • Internal policies – businesses should ensure that all internal and external data collection/ data processing/ data retention policies are updated. Training sessions should be conducted to create awareness amongst the employees in relation to GDPR.
  • Privacy policy – businesses should update existing user privacy policies to include certain information such as identity and contact details of the data collector; purpose of processing and the legal basis for such processing; legitimate interests of the business in processing personal data (where applicable), etc.
  • Data processing agreements – businesses are required to have stipulated data protection obligations with third party processors.
  • Consent to be user friendly – businesses need to ensure that consent forms for collection of data from the users should be in simple language so that consent can be provided by the users by a clear affirmative action and should signify agreement to the processing of personal data relating to the user.
  • Demonstrating compliance – businesses are required to document all procedures and practices dealing with personal information of data subjects to prove compliance under the GDPR.


The financial consequences of a breach can be significant, and notification / remedying of breaches is both expensive and time-consuming. Aside from the financial ramifications, the risk of professional and reputational damage should not be underestimated, with data protection breaches increasingly at the forefront of the public and media conscience.

As duties on how businesses process data become more onerous, it is vital that SMEs and UAs are aware of their obligations and have adequate procedures in place. Insurers should insist that prospective insureds have robust policies and procedures to ensure that data is dealt with correctly and that the entity is registered with the ICO if appropriate.


Focus On Your Profits

Protect Your Business on Your Terms

Protect your life’s work with Responsible Cyber’s platform and services, arming you with comprehensive support for your business, empowering you to stay one step ahead of black-hatted criminals.

Cyberattacks on big corporations flood the headlines, but small and medium businesses are also big targets too. One in every five small businesses fall victim to a cyberattack and of those, 60% go out of business within 6 months. 

CYBERSEC Global 2020 Goes Digital – Register Now

CYBERSEC goes global and online in 2020The 6th edition of the EUROPEAN CYBERSECURITY FORUM will be held on 28–30 September online. This year’s CYBERSEC leitmotif - “Together Against Adversarial Internet” and the mission of the forum will enhance cooperation of...

read more

CYBERSEC Global 2020 Goes Digital – Register Now

CYBERSEC goes global and online in 2020The 6th edition of the EUROPEAN CYBERSECURITY FORUM will be held on 28–30 September online. This year’s CYBERSEC leitmotif - “Together Against Adversarial Internet” and the mission of the forum will enhance cooperation of...

read more
Responsible Cyber Revving Up For the New Decade

Responsible Cyber Revving Up For the New Decade

Responsible Cyber is a leading service provider of cybersecurity solutions. Given the efficacy of their solutions that improve the online security of small and medium-sized companies, they have grown at an astronomical rate.

Responsible Cyber provides a fully integrated platform that takes care of the cybersecurity of a business at different stages of growth. It is convenient, user-friendly, and affordable, which has added to the superiority and popularity of the solution. The platform allows busy business owners to pay at their pace, and on their terms while protecting their business. As a result, the business has been expanding at an accelerated pace in the domestic and the international market.

read more

Get In Touch


Don't be the next: we can help you!

Phone Contacts

+65 3157 2142

Email Contacts

Where We Are

105 Cecil Street #07-00 Singapore 069534

Send Your Message