Does size matter? The repercussions of data breaches for small and large organisations

Data breaches can happen to anybody. Incidents at large organisations – such as Dixons Carphone and Superdrug – might be reported on more often, giving you the impression that they are the most frequent targets, but these are actually the exception. Breaches occur most often at SMEs (small and medium-sized enterprises), if only because there are a lot more of them. The only reason you don’t hear about them is because they usually involve fewer breached records, and the damage is limited to people in a certain area. 

Of course, there’s little comfort to be had in reassuring customers public that “it was only a small breach”. You might avoid the public humiliation that the likes of Facebook and Equifax suffered after revealing mammoth breaches, but the damage will be proportionate to the size of your organisation. If you breached one in five of your customers’ records, that’s 20% of your customer base that you might not get back again – and 100% of customers whose trust you need to win back. 

What about the GDPR? 

Many people have mistakenly thought that they are exempt from the EU GDPR (General Data Protection Regulation) – and, by extension, the large fines that come with it – because they are a small organisation. Although the GDPR does make some exceptions for SMEs, almost all of its requirements apply universally.  

The two exceptions to this are certain derogations for organisations employing fewer than 250 people and the acknowledgement that mechanisms should be adopted “as appropriate”. That generally means that larger organisations will be expected to have more thorough defences, whereas SMEs can use less complex methods. 

Supervisory authorities will take an organisation’s measures into account when determining any administrative fines. You should always aim to make your defences as strong as possible – whether they’re technologies, policies or processes – but you also need to make sure you have the resources to cover and maintain them. 

Data flow mapping 

You can determine how appropriate your defences need to be by assessing the way information flows through your organisation. Your aim should be to keep as little personal data as possible, and to transmit and store it in as few locations as possible. 

To do this, you will need to conduct regular data flow maps. A well-designed map will give you an overview of:

  • How much information you process;
  • What you’re processing and why;
  • Where it’s held; and
  • How it’s transferred.

If you aren’t aware of this, you can be sure that data is hiding in vulnerable parts of your organisation. This will put you at risk of not only a data breach but also of violating Article 30 of the GDPR, which requires organisations to maintain detailed records of their data processing activities and make those records available to their supervisory authority upon request. 

Get help mapping your data 

Mapping your data can be time-consuming, but you can speed up the process by using Vigilant Software’s Data Flow Mapping Tool. It simplifies the mapping process and makes it easy for you to review, revise, and update maps when needed.  

With this tool, you can create consistent visual representations of the flow of data through all your business processes without having to resort to more time-consuming methods, such as pen and paper or vector graphics.