It’s March, which means we’re only two and a half months away from the GDPR. It also means we’re two weeks away from workplace productivity in the US dropping by about 70% as everyone streams college basketball all day. Frankly, it’s one of this country’s great, and most civilized traditions: pretending to be reviewing last quarter’s financial reports, but really watching intently in the hopes that FGCU is going to pull off the upset. We love the David-and-Goliath/Cinderella/Other Metaphor stories in the Tournament because it’s great to see a team with substantially fewer resources and superstars manage, through great play, to best one of the big guys.

That’s a storyline that translates pretty well to GDPR compliance, actually. (Did you like that pivot right there? See how I turned basketball into data security?) What I mean is that small and medium sized enterprises (“SMEs”) are still required to comply with GDPR, but that can be a good thing. It certainly doesn’t seem so at first glance, because how can a company that lacks a huge compliance and IT department hope to meet the Regulation’s requirements?

In fact, if done properly, SMEs can create a GDPR compliance plan that mirrors the best aspects of a small business: flexibility, direct oversight, and responsiveness. Consider the need for “data protection by design and default,” which is what the GDPR refers to as the process of incorporating datasmart principles into every aspect of your business. As the Regulation puts it, controllers have to “implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles.” SMEs can incorporate changes in technology far faster and with less red tape than a behemoth multinational corporation simply because it’s easier to make a decision and execute.

If you operate a small business, you could decide, this morning, that you’re going to encrypt data, buy encryption software, and implement it by day’s end. You’ve now not only implemented a “technical and organisational measure designed to implement data protection principles,” you’ve also invoked the so-called “encryption safe harbor,” which, in the event of a data breach, limits your duties to report and your potential losses. This scenario also demonstrates another important aspect of SME operations – senior management is often directly involved in decision making. That’s a helpful characteristic when it comes to GDPR compliance, because a right-minded leadership team can make data security a part of the company’s DNA. That is data protection by design and default, and it can drive compliance costs down in a real way.

Obviously, there are challenges for SMEs. Compliance costs are real, and a serious fine from Brussels (even if it is far less than 20m Euros) can put you out of business. The margins (and the amount of advice available) for SMEs are always smaller. But the point remains that adopting the right mindset is crucial. SMEs can, and should, take an approach to GDPR compliance that gives them a competitive edge against the bigger companies. Customers may well want to hear that “we can keep your data safe and we don’t have to pass on the costs of a three hundred member GDPR compliance team.” A well-crafted GDPR plan, a good DPO (if needed), and a little flexibility could be just enough for an SME to edge out a competitor, and start a Cinderella story of its own.