GDPR: TO BE OR NOT TO BE A CALAMITY FOR SMEs

From the very beginning, many considered SMEs as collateral victims of GDPR.  Lacking investment resources in sophisticated encryption and protection software or expensive hours for audit and consulting services being the main reasons for this… But what only a few peoples are considering, is the fact a SMEs can be many times more flexible and open for a real change and reliable alignment efforts.

Size does not matter…

The main purpose of the Regulation is to change the ways organizations obtain and manage personal data and to put the data subject in the core of data processes. Even most of the GDPR articles addressing large data volume and large scale data processing, small organizations such as micro-enterprises or individual professionals have also to show respect for the processing of personal data.

Many time small entrepreneurs are thinking their company are too small to lose the time with data protection processes. This is terribly wrong. GDPR applies to organizations of any size if data processing takes place regularly or if the processing includes special categories of data defined in Article 9 of the GDPR. This is even apparent from the definitions of the Controller and Personal Data Processor. According to GDPR, Art.4.7. “Controller” means a natural or legal person, a public authority, an agency or another body which, alone or with others, establishes the purposes and means of processing personal data. According to Art.4.8. “Processor” means a natural or legal person, public authority, agency or other body processing personal data on behalf of the Operator;

Even a licensed consultant or individual who constantly and regularly processes personal data may be a personal data Controller or Processor, depending on the type of activity being performed. If there are types of services in which the purpose and means are set, the individual specialist can act as an associate operator in dealing with his clients. If there are types of activities where the individual specialist performs only operations requested by his clients, he/she acts as a personal data processor with all the responsibilities of such a position. As small company manager is very important to better identify our position as Controller/ Processor in any business line we are involved.

Do we process personal data? So we don’t have a place to return…

Even if we haven’t the funds resources of the big ones, as managers of a small company, we are directly responsible for the continuity of the business and admitting this, we are willing to invest. In a small company, as an entrepreneur, we are also a sponsor and a project manager. And I’m more capable and more interested in choosing the best and most efficient team, which often includes all the other employees.

Are smaller companies more exposed to cyber-attacks than medium or large organisations? Theoretically yes…; it should be because we don’t have the infrastructure that others have access to. A Juniper Research study estimates that over half of SMEs in EU countries consider themselves safe from cyber-attacks, but half of them have suffered a data breach. In this context, the need to protect personal data more effectively has never been more obvious, even at the level of SMEs.

GDPR strengthens the protection of personal information. Irrespective of size, all companies operating in the EU now have the obligation to collect, store and use personal information in a safer way. Although there are a few areas where SMEs are recognized as having fewer resources and capacities than larger businesses, small businesses can enjoy a manoeuvring space in terms of documentation and record keeping. The degree of freedom at this stage is still uncertain.

The British Government recently estimated that only 40 percent of enterprises with fewer than 50 employees and only 66 percent of firms with 50-249 people were aware of the importance of GDPR.

5 Serious reasons for alignment

Here are five serious reasons why SMEs need to understand this regulation urgently and align their processes with it:

  1. GDPR comes with new rights, so new obligations – First, GDPR gives new people rights to their personal data. Theoretically, we can now go to a bank or supermarket to ask them to erase our data from their systems. This is theoretically only because there are some legal frames imposing us to expect at least 10 years to receive all personal data. Here is a real right: ask a provider to move your data and your agreement to another service provider… That’s a real right known as Data Portability. For example, you have the right to move the services file from one telco provider to another. But that does not mean that the old supplier will erase our data.
  2. Suppliers are now under the microscope – GDPR comes with new responsibilities on data processors. If we process data on behalf of a Data Controller, we need to keep its instructions in order to align the GDPR. If we make a mistake as a data processor, and the Controller can prove this, we could become directly accountable in front of Authorities.
  3. Do we need DPOs or not? – At SME level, obviously not. This does not exclude the recommendation to consider a project team and a project coordinator. Permanent tasks, even in an SME, such as keeping records of processing, consent, or breaches reporting, come in addition to the ingrained task of assimilating internal policies across departments.
  4. Employees as a weak link – Studies show that at least one-third of personal data vulnerabilities are due to personnel error. There is no substitute for training employees about their core responsibilities within GDPR. In addition, make sure your company specialists, such as traders, HR representatives and board members, receive specific training on their roles about what they need to do to comply with GDPR.
  5. We need to tell our clients what we do with their data – According to GDPR, customers have the right to be informed – in clear language – about what we do with their personal data. Our online privacy policy should be written in plain language, telling our customers about where we get the data, what we do with them, and who we share with. If we have a web page for our business, we have to put our trust on privacy on the site on the Personal data privacy page and to update Terms & Conditions and Cookies Policy.

Small companies or individual specialists who ensure their compliance with GDPR benefit not only from safer and more professional business processes but also from a certain competitive advantage over competitors who did not pay much attention to the provisions of the new Regulation. GDPR compliance is a label of trust, loyalty, and respect for our customers and partners and the personal data they entrust us with.