GUEST ESSAY: How ‘DPIAs” — data privacy impact assessments — can lead SMBs to compliance

Rate this post

As the world becomes more digital and connected, it is no surprise that data privacy and security is a growing concern for small to medium sized businesses — SMBs.

Related: GDPR sets new course for data privacy

Large corporations tend to have the resources to deal with compliance issues. However, SMBs have can struggle with the expense and execution of complying with data security laws in many countries.

Organizations with 500 or fewer employees have many positive attributes, such as their ability to make fast decisions and avoid bureaucracy that can slow down larger enterprises. But this same characteristic can also be a disadvantage, as SMBs often lack the resources and expertise to keep up with complex regulations.

Let’s look at some of the challenges faced by SMBs in today’s data privacy landscape.

Scarce resources

It’s often difficult for small businesses to invest significantly in data privacy compliance or security measures because they don’t have large budgets. In fact, many SMBs have to choose between investing in new technology and making payroll. This can make it difficult for them to keep up with the latest security measures and technologies that could protect their data or prevent a breach.


An SMB may not have the time or resources to properly implement the robust security policies and procedures needed to comply with numerous regulations. That means there will likely be gaps in their data protection measures that could leave them vulnerable to cyberattacks.

It should be no surprise that data security regulations are on the rise. There is increasing regulatory pressure on SMBs to protect their employees’ and customers’ sensitive data. For instance, any direct contact with European suppliers, partners or customers requires taking steps towards complying with GDPR regulations.

DPIA starting point

A  Data Privacy Impact Assessment, or DPIA, is a formal assessment of the privacy risks of your data processing activities. The purpose of conducting a DPIA is to identify and assess the potential impact of these risks on individuals’ rights and freedoms from your proposed processing operations.

A DPIA requires a thorough review of any personal data collected and stored, including who specifically controls the data and who has access at any given time. It also takes into consideration the reasons why the data was collected in the first place, and examines the reasons why personal data is stored; in short it examines  numerous parameters related to collecting and holding personal data.

Paths to compliance

By performing this type of assessment, businesses can better understand their responsibilities for protecting personal information, as well as assess their ability to do so. This should naturally lead to an SMB putting plans in motion  to achieve compliance —  by embracing robust cyber hygiene policies and procedures.

There are many kinds of tools and services that can help any SMB down this paths. The core idea is to help the company continually improve how it monitors  data flow and trains staff to be alert to cyber threats in order to identify suspicious network  activity — before it becomes a problem.

Data protection is an ongoing process. DPIAs can get an SMB off to a good start. But maintaining a security posture that not just meets compliance but effectively protects the organization over the long run is a never ending task. It’s important to continually assess security posture and take corrective action when necessary.

Neumetric helps organizations perform DPIAs as well as numerous other types of cybersecurity and cyber risk assessments, in addition to security awareness training for employees. Our services revolve around helping organizations achieve security compliances and certifications such as EU GDPR Compliance.

About the essayist: Bipin Damodaran is a Certified Ethical Hacker and a member of the security team at Neumetric, a cybersecurity vendor that helps organisations bolster  their information security by creating a secure  operating environment.


Leer másThe Last Watchdog


advisor pick´S post