With just two weeks until Europe's sweeping data privacy regulation, GDPR, goes into effect, small businesses have a reason to breathe a little easier.
The big picture: While the language used to describe non-compliance penalties for GDPR is rigid, U.K. Secretary for digital, culture, media and sport Matt Hancock suggests regulators (at least within the UK) are willing to be flexible with enforcement early in the process.
- "The headlines are that there's a 4% of global turnover as a potential fine," says Hancock. "But there's also a very clear determination to have proportionate enforcement. So that means that the focus will be on the big users of highly-sensitive data."
- "In the UK, we're very clear that the enforcement, especially early, will be done sensitively and proportionately for smaller organizations. whether businesses or charities or small government organizations."
- "Ultimately, GDPR is a principles-based set of rules. And following the principles is what really matters."
Details: A complaint-based system will also be used by regulators to track violations. Consumers, who are empowered by the law to better manage their own data, can file a complaint about any company, big or small, which should also have small businesses on high alert.
Threat level: Policy experts have debated for months whether GDPR makes it easy to implement uniform data standards and transparency while also helping to support innovation and fair competition.
- "Smaller entities, generally speaking, are much further behind than the global players," former FTC Commissioner and current Microsoft deputy general counsel Julie Brill told Axios at an EU panel at SXSW in March.
- "I think that there could be a problem that they encounter in terms of enforcement and in terms of trying to really figure out how they comply." (Brill says Microsoft has 300 engineers working on GDPR compliance.)
Why it matters: Many small businesses are finding themselves unprepared, because they haven't been prioritizing compliance.
"Small businesses have two main misconceptions regarding data privacy: They feel as if they have nothing to hide, so data privacy does not apply to them. And, they don't care if companies use their data.
— Francis Dinha, CEO & Co-Founder, OpenVPN