One of the things that clients talk to me about the most is how to make sure that the data security plans that they have in place makes sense. If you think about it, much of the advice that you see on the Internet or from talking heads on television is related to companies that are quite different from around. What works for Facebook might not work for you. In fact, it almost certainly won’t work for you – it doesn’t really seem to work for Facebook, either.

That’s why it makes sense to focus your attention on creating plans and practices that really fit with the culture and the size of your business.

What do I mean by that? It’s simple really. If you were thinking about creating a new product, you wouldn’t enter into an entirely new industry, create an entirely new product range, or totally depart from all previous practice at your business. (I mean, probably.) Instead, you would come up with a product that fit within what your company’s competencies were, and you would go from there. Or, if you were taking a little more of a risk, you might acquire a new entity to help you create the product. But whatever you do, you would be doing it with the thought that you have a specific set of skills, personnel, and personality that allow you to be you.

It’s the same thing with data security. Entering into a relationship with a DPO, or with a data security consultant, or with any other privacy professional might be an overwhelming and unhelpful task if you were forced to look at data security issues through the lens that the professional applied to all companies, big and small. If you were dealing with a security professional whose expertise has been exclusively in managing multinational megacap companies, and you’re a 10 person start up, it’s probably not going to be a good fit. Or at least, as it seems to me, the risk of it not being a good fit is pretty high. You may end up having to start from scratch, rebuilding a platform or a program that you’ve already invested a great deal of time, money, and effort to create.
That’s not to say you can’t find great help or great ideas from businesses in different sectors or fields. If you find someone who is capable executing on plans, and can help you put your best foot forward when it comes to dealing with regulators, it almost doesn’t matter with their previous experience was. And a good, repeatable plan can work for almost anyone. The question, as always, is scalability. If you found a way to work with someone or work with a strategy that allows you to scale as your company scales, you’re much more likely to be successful. That’s why we talk about “right-sized” data security.

“Right-sized” plans recognize the idiosyncrasies of where your company is and why. Simply assuming that throwing money at the problem is going to make it go away very rarely works. For that reason, one critical consideration when formulating your data security plans is, unsurprisingly, what can I afford? That may seem like a basic question, but it’s a valuable one to ask nevertheless. In fact, it’s so valuable, that the GDPR itself mentions the cost of taking proper precautions when factoring in the potential for harm, or the reasonableness of a fine.

So, how do you right-size? It’s kind of an art. Three straightforward thoughts, though:

• Take a hard look at what your capacity is, and what your capabilities are. If you can manage to put resources and only a few categories, then the logical choice is to pick the ones that are the critical need. If you’re able to find someone who can handle data security, but your reporting abilities for Article 30 are not as robust, think about how to allocate resources between those two that allows you to protect the data you have and learn how to record and get better at meeting your reporting requirements.
• Don’t just assume that you can import a strategy that worked for another company and layer it on top of your existing framework: that’s often a recipe for disaster.
• Learn from the efforts of those in your industry and those of your size. Conferences and trade publications are a surprisingly good place to get this kind of information, because most companies don’t view data security as zero sum. That is, I’ve seen a fair amount of openness about how to make privacy or GDPR compliance work for, say, midsized tech companies just by listening to what representatives of those companies have to say on a panel. Use that information to your advantage.

The bottom line is that you don’t want to make the easy mistake of ignoring who and what your company is when you think about privacy or protecting information. Data security doesn’t exist in a vacuum, so find the plans and the professionals that are the right fit for you.