GDPR: No part of a group is too small for appropriate focus

Publish date:

Are you, despite being a small company, part of a large group?

When having an initial discussion with a company representative, we talked about where they are, what they initially have to do and sketched a very rough roadmap of what needs to happen by May 25 2018 and beyond. The actual scope of work was limited and a decent view on the IT landscape seemed to be in place. When we started to get into the applications not directly managed by the company, including third-party SaaS, a bit of a twist to the overall risk landscape was identified. A couple of the systems were slated to “be taken care of by the group,” such as HR and a few other support systems.

It turned out that the company is a part of a the very large global group, and not a stand-alone, separately owned company as I had assumed.

Article 83:
“6. Non-compliance with an order by the supervisory authority as referred to in Article 58(2) shall, in accordance with paragraph 2 of this Article, be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.”

This means, in this case, that 4% of the group’s global yearly turnover exceeds the total yearly turnover of the company I talked to by more than 10 times, possibly even more than 15 times. In other words, the fact that this small company gets very little support from the global organization in terms of “systems and applications they manage themselves,”  and very little auditing on the progress and actions taken, can have a tremendous effect globally.

How this will be calculated by the SAs in case of fines remains to be seen, but you need to be aware of the question to ask yourself:

Are you, despite being a small company, part of a large group?

This question is very much relevant and should, despite the effort needed to meet the GDPR requirements anyway, be taken into consideration and visualized to management when discussing funding for the work to be done.

Related Posts

Cybersecurity

Cloud Security – Fix Governance not just technology

Lee Newcombe
Date icon June 12, 2019

Large enterprises in particular will be operating multi-modal IT, i.e. elements of...

Cybersecurity

The process side of things: Four areas of focus your SIEM/SOC efforts should consider

André Hohner
Date icon June 4, 2019

Often, the matters of processes or organizational structures are overlooked in SIEM/SOC...

data

Capgemini signs teaming agreement with MADANA

Dr. Fabian Rusch
Date icon May 29, 2019

Capgemini and German tech startup MADANA signed a teaming agreement to combine core skills...

cookies.

By continuing to navigate on this website, you accept the use of cookies.

For more information and to change the setting of cookies on your computer, please read our Privacy Policy.

Close

Close cookie information