It seems that GDPR for small organisations, SMEs and charities/NFP groups etc., means pretty much the same as for large organisations.
Basically, it’s (sadly) about covering your back at this stage: doing the right thing because we HAVE to… I think of it a bit like everyone wearing seatbelts because it was the law, and then eventually people accepted it was actually the right thing and doing it for that reason too.
It applies to anyone who holds data. It’s about how they hold data and why. A large % is around auditing and training/informing anyone involved with the organisation and documenting it. Training and documenting revolves around looking at data they hold, why, and what they’ve done to be sure it’s correct – and right for them to hold it.
But THEN everyone needs to prove that if they are still hacked despite training and protocols, they have put IT solutions in place too. And cost can reflect income. They might decide they have to spend x% of income – then the agreed amount would be spent on the necessary IT Products, and the rest on training and auditing.
Bigger companies almost certainly need to have dedicated staff and probably a consultant (for both parts)
Let me know if we can help in any way.