SMEs spent up to €20k on GDPR

SMEs spent up to €20k on GDPR

By Pádraig Hoare

More than four in 10 larger firms in Dublin spent upwards of €20,000 to get ready for the EU’s general data protection regulation (GDPR), while nine out of 10 SMEs spent €5,000.

That is according to a survey into how businesses have adapted since GDPR was introduced on May 25.

The survey by IT firm MicroWarehouse said 57% of companies do not think the introduction of GDPR has made any difference to their day to day operations, while there was a marked difference in the preparations of larger firms compared to SMEs.


A third of firms said that amendments to data breach procedures were the most common actions taken following the introduction of the data protection law.

However, only 13% of firms said cybersecurity was one of the main priorities for their company, while a third said it is never discussed at management level, which MicroWarehouse described as “shocking”.

MicroWarehouse technical sales lead Aidan Finn said: “The research indicates that little or no difference has been recorded to the day- to-day operations of companies surveyed. It also highlights the costs associated with becoming GDPR compliant, which is particularly onerous on SMEs who are subject to the same regulations as larger companies.

“In relation to cybersecurity and hacking, we were shocked to learn that security of data is so far down the agenda at a senior management level. Particularly in an era of cybercrime and data leaks, one would think ensuring the security of your network would be in the company’s best interest.”


The survey was carried out through face-to-face interviews with 100 chief information officers and IT leads in companies across Dublin, MicroWarehouse said.

The GDPR was ratified in 2016 following four years of negotiation, replacing the existing directive on data protection. Unlike an EU directive, which can be implemented over a certain time, the regulation was made law once it began on May 25, meaning penalties can be imposed from the beginning.

The regulation is designed to harmonise data privacy laws across Europe and to protect citizens’ data privacy. It not only applies to organisations within the EU but also to firms that do business inside member states.

If companies fail to comply with the regulation, they can be fined up to 4% of annual global turnover, or €20m.