SMBs May Find GDPR Compliance a Challenge

SMBs may be more likely than their enterprise counterparts to find GDPR compliance a challenge. Generally speaking, their focus on data security is not quite as strong as it is in larger organizations. Furthermore, they are often less likely to have internal resources to help them make sense of new regulations.



What is GDPR again?

GDPR stands for the General Data Protection Regulation; it is a regulation in European Union law on data protection and privacy for all individuals within the European Union (EU). GDPR also addresses the export of data outside of Europe, and applies to any business handling personal data of EU residents. The purpose of GDPR is to give EU residents control over their personal data and simplify data privacy regulation within the EU.

What are some key requirements of the regulation?

Compliance with GDPR includes obtaining consent for data collection and processing, designing systems with data privacy in mind, and letting individuals (who ask) how their data is being used. In addition, organizations must remove this data from their possession in the event that an individual withdraws his or her consent for information use. Another requirement for companies handling personal data on EU residents is notifying these residents of a data breach within 72 hours.

So, how do SMBs view security?

SMBs consider information security pretty important, with 37% of U.S. SMBs ranking it a top business priority for the next three years—making it the second biggest priority out of 13 possible business priorities. While a similar percentage of enterprise customers consider document security a top goal (38%), this is actually the number one objective for this group. They are much less likely (25%) than their SMB counterparts (41%) to prioritize staying in business/being profitable, suggesting that security is more top of mind in the enterprise realm.

And how do SMB and enterprise resources compare?

While resources can be measured in different ways, Keypoint Intelligence-InfoTrends research shows that SMBs tend to have fewer internal resources in areas like IT. This can make interpreting GDPR a particular challenge, especially when considering that secure IT systems is a crucial component to ensuring GDPR compliance. The good news is that trusted third parties (e.g., office equipment providers) can provide expert guidance in this area.


The new GDPR regulation is in effect; SMBs may find it particularly challenging to make sense of its components as well as achieve compliance. Compared to enterprises, information security is somewhat of a lower priority for these entities; furthermore, in many cases SMBs have fewer in-house resources to assess the sufficiency of their IT environments for GDPR compliance. Seeking help from a trusted IT provider may be a good option for SMBs falling into this category.

GDPR Aligns with Today’s Business Priorities

While companies around the world, including the United States, are grappling with how to handle the new General Data Protection Regulation (GDPR)—which governs the use of European Union residents’ personal data, it may be helpful to view the regulation in the context of today’s business priorities.

Recent Keypoint Intelligence-InfoTrends research shows that U.S. companies are most likely to say that improving document security is a top business priority. As company size increases, this is more likely to be the number one goal.

Which of the following are business priorities for your organization for the next three years?

Please select the top 3.

 Keypoint Intelligence-InfoTrends

Source: Keypoint Intelligence-InfoTrends

The emphasis on document security has a direct relationship to GDPR compliance. When companies ensure that their documents are adequately protected, through features like data transmission encryption and password-protected PDFs, they can help protect the privacy of customer information—the key tenet of GDPR. Network-connected devices like computers and printers, as well as software for tasks like document management, must also be adequately safeguarded.

Digging deeper into GDPR’s requirements, the regulation forces companies handling personal data on European Union residents to develop their systems and services with data privacy as a guiding force—as opposed to as an afterthought. Companies should also regularly test the security of implemented processes, as well as in some cases name a data protection officer to handle interactions with European Data Protection Authorities (DPAs).

Another component of GDPR is the need for customer/user consent prior to processing that individual’s personal information. Furthermore, consent must be given for a specific use of the information as opposed to for general information use; individuals can obtain information on how their data is being used; and people have the right to withdraw consent at any time. Should organizations not adhere to these and other GDPR requirements, they may be fined up to 4% of annual global revenue or €20 million—whichever is greater.


GDPR is a new regulation that governs the processing of personal data on European Union residents. The good news for organizations handling this kind of information is that the regulation largely aligns with the top business priority of many companies: improving document security.

By continuing to ensure top-notch security for documents, the data contained within documents, and the devices through which documents pass, companies are well on their way to achieving GDPR compliance. That said, other elements of GDPR like user consent and data breach communications must be incorporated into GDPR strategies.