I’m not going to tell you how to think if you are a big corporation. I don’t have any experience working for big companies. Not even mid-size companies. I just have experience doing things with little money. For my own projects or for micro-companies.
Many regulations are not written with small companies in mind. They are intended to address some urgent problem that has been ignored for too long. The drafters of the regulations may not have thought through how the problem will evolve or how it could be dealt with by companies approaching the problem in new ways.
You, as a small business owner or project leader with limited resources, will find it much harder to comply with a regulation than bigger companies or better-funded departments will. Just understanding the regulation in detail could take you days or weeks, and you may need advice from an expert. Often, your specific problems will not be contemplated in the law, and you will need a higher-level assessment to evaluate that uncertainty.
On the other hand, it’s quite unlikely that anybody will care if you don’t comply with the regulation. “They” will think: “I can’t get something out of nothing.” You are too small for them to get any benefit from pursuing you. Maybe it’s even a common practice among small companies not to comply.
In the case of regulations enacted to safeguard Personal Data, that’s what many companies are doing. And it’s not only small companies where that’s happening—large companies may spend millions safeguarding data in databases, but not implement sufficient measures to safeguard data accessed by workers who need to sporadically use parts of it. Insecure methods for sharing data or moving data from one computer to another are often in use. People may think that is low-risk. But it’s believed that that’s how Wikileaks got tens of thousands of sensitive documents from the US government.
Failing to comply with data privacy regulations is legally and financially risky for your company. And when you are talking about Personal Data, there is an even more important risk: the loss of your clients’ confidence in your company, which could be unrecoverable. A data loss might happen only once every ten years—but it would be hard to recover from that.
Yes, it could be easier asking for forgiveness than for permission. But only if you can live with a great deal of uncertainty.
Data privacy regulations are complex. There are multiple “what-if” scenarios to think about. But there is one single argument that can save you a lot of effort and thinking. One argument that makes most of the effort needed to comply with the regulations unnecessary. It’s an argument that applies to every existing regulation on data privacy (mainly HIPAA and GDRP).
That argument is: Encrypted data is not Personal Data.
If something is not Personal Data, any regulation regarding Personal Data obviously does not apply to it. There is no need to think about how to comply with the regulation.
Quite simple and effective, yet inexact. If you are managing Personal Data, it will not always be encrypted. Therefore, you need some basic knowledge about the regulations. You will still likely need to write a security plan. You will still need to implement some security procedures. But these will be quite standard procedures, applied to a reduced set of situations, and will have a much lower cost. If you choose to apply the first rule of low-cost business management and be lax in applying the details of the regulation to your data security procedures—which doesn't really mean being lax in having security procedures—you still will be reducing the risks exponentially, given that most of the time and in most circumstances data will be encrypted.
So, to summarize, what can you do if you are a part of a small team working occasionally with Personal Data?