What SMBs need to know about the new EU cybersecurity regulations

TRP: In your view will GDPR/NIS improve the overall security framework for small businesses and their customers?

Charles White: The consensus opinion is that UK PLC has had over six years of coaxing, education and persuasion to adopt a significantly better security posture. Last year, articles circulated stating that 96% of UK companies had been hacked. And so with all these things legislation swings in to drive behaviour and the GDPR is now the stick.

Many companies have preferred to ignore security issues and hope they won't affect them, and this could still be the case here. However, if they do lose data they will be facing significant fines, as well as the fact that the act brings in US-style class action options for anyone impacted by the data loss to claim damages. Having the risks and results so clearly defined will definitely help to improve the overall security framework.

Michael Aminzade: I think it will improve the security and the awareness of small businesses, but it will also have a larger impact on all organisations. As data protection becomes better understood, it will become a key item for all business leaders from the small to the corporate. We have seen this with information security previously, but data protection that bridges information security and our legal systems is now maturing. This is a good step forward in educating organisations and protecting all businesses against the cybercriminals on the dark web.

Anthony Merry, head of Data Protection at Sophos

Anthony Merry, head of Data Protection at Sophos


As a uniform approach to data protection in Europe, the new regulations move the consent to collect and use data that businesses now comply with to a more robust system, where data must be collected for a specially stated purpose. If your business wanted to use, say, a customer database for another purpose, your business would need to ask for permission again.

Anthony Merry, head of Data Protection at Sophos, concluded: "My key advice would be – don't ignore it and think 'I won't get fined'. Europe is taking the subject of data protection seriously and so should small businesses.

"Take the time to investigate what the GDPR and NIS Directives mean to your business, and if you don't feel comfortable doing it yourself then don't hesitate to reach out to your local regulatory body or to a trusted partner/consultant for advice.

"Protect the data you hold, encrypt it and always keep up to date with your security solutions. Always think: how would you feel if it was your data that was lost? How would you feel or be impacted?"

The new regulations are coming. They apply to medium-sized businesses, but smaller enterprises should use the opportunities to re-evaluate how they collect, store, use and transmit the personal data of their customers. In today's world of rising cybercrime, only those businesses that can show they take the personal data of their customers seriously will continue to thrive.