SMEs and Data Breaches

SMEs and data breaches

Keeping your business secure

data breach

This year in May, the General Data Protection Regulation (GDPR) celebrates its fourth year of entry into force. Widely recognized as an ambitious European Union Privacy Regulation, the GDPR applies to the processing of personal data. Why does this legal framework exist and how can SMEs determine whether said privacy regulations are applicable to them?

The GDPR: still going strong in 2022

Simply put, the GDPR aims to safeguard  personal data when companies use that data to achieve their business goals. It is often believed GDPR applies to the big players only, but as stated by article 3 GDPR, the regulation applies to all organizations that are based in the EU and collect/process data of European citizens. Even companies that are based outside the EU but provide goods/services to EU citizens fall under the same regulations. In this sense, it doesn’t matter if you own a one-man business, a start-up or lead an SME. These safeguards are necessary to avoid the risk of data breaches and its consequences for the enterprise itself and its subjects.

Data breaches: an inescapable evil for today’s SMEs?

Within the EU, people and enterprises alike are becoming more and more aware of data leaks and breaches. This is visible in the increasing number of complaints and reports to the privacy watchdogs and the supervisory authorities. From 2020 till 2021, the Belgian Data Protection Authority received more than 1,200 reports of data breaches and over 1,900 complaints. Figures that are on the rise compared to previous years, as stated in their 2020 annual report.


In this report, they also classified the five most common types of data breaches that SMEs and other organizations suffered from, as shown in the chart below.


Most data breaches are caused by human errors, proving that there is still a lot to learn and improve. To that end, awareness trainings about privacy and GDPR regulations could be a first step in the right direction.


Since hacking, phishing & malware consist of an almost equal amount of data breaches (27.71%), all possible technical and organizational measures to protect personal data must be taken. State-of-the-art firewalls, rigorous access control and encryption of data files will help protect you from hackers and other virtual attacks. Only then, data breaches can be detected in time. As a result, this minimizes damage and other negative effects on enterprises while safeguarding the rights and freedoms of data subjects.


The consequences of data breaches

As Christopher Graham (Information Commissioner ICO) clearly stated: the knock-off effect of a data breach can be devastating for SMEs. When customers start taking their business – and their money – elsewhere, that can be a real body blow. Besides, supervisory authorities can impose fines on those who handle personal data in an irresponsible way, don’t implement sufficient technical & organizational measures or don’t report a data breach in time. This can lead to severe fines up to 20 million euros or 4% of the global annual turnover.


The European Data Protection Board (EDPB) adopted their new 2021 guidelines on 14 December 2021. With this, it aims to help SMEs identify and then correctly report any data breach to the supervisory authority and its data subjects.

Keeping your business secure: things you should focus on


In recent years, the Belgian supervisory authority has put tremendous effort into supporting SMEs to become more GDPR-compliant through various resources.

  • 2018 Preparatory Guide for SMEs and family businesses: explains basic privacy & data protection principles and prepares organizations for the entry into the force of GDPR.
  • 2020 “Boost-project” : focuses on three issues of particular concern to SMEs: the transparency principle, the Data Protection Impact Assessment (DPIA) and the concepts of “data controller” and “processor”
  • strategic plan 2020-2025, This strategic plan is based on public consultations with stakeholders from various SMEs.

Nowadays, GDPR compliance is often seen as an additional administrative burden, causing many SMEs to postpone its implementation into their business activities and respectively their company culture. All too often, SME’s question its relevance and fail to recognize that GDPR applies to them. By consequence, don’t hire a full-time Data Protection Officer to take on the administrative burden and stand idle until compliance issues arise.

Trends: usage of automatization tools for GDPR compliance

Already in 2019, McKinsey & Co. reported on the fact that SMEs are faced with many organizational challenges when it comes to the management of personal data for business operations. They correctly analyzed that these SMEs must automate and streamline their processes, or the challenge of GDPR compliance will overwhelm them. Indeed, the use of automatization tools for GDPR compliance has become popular over the last years, with many new companies developing and providing compliance-tools.


One such example is RESPONSUM: an intuitive privacy management Software as a Service (SaaS). It’s entirely EU-based and offers task automation and integrated collaboration to amplify SME productivity. The software helps increase compliance thanks to several of its integrated frameworks. RESPONSUM contains a user-friendly privacy and security management module that decreases the chances of potential incidents and data breaches. To that end, it allows any organization to swiftly manage possible incidents and data breaches by adequately monitoring them. When registering new incidents, the tool allows for a calculation of the potential impact on a risk-based approach. This way, data breaches won’t be an unescapable evil for SMEs.


Interested in what RESPONSUM has to offer? Find out more by clicking here.