GDPR compliance for SMEs

What can we as SMEs do to avoid GDPR-related fines?

What is the GDPR Regulation?

On 25 May 2018, European data protection legislation will enter into force, setting new standards for personal data, security and compliance at global level. The General Data Protection Regulation - GDPR - is all about protecting and enabling the privacy of natural persons. The regulation does not set out specific measures, only expectations, so it is necessary to look at data management on an individual basis and determine the necessary responses from the organisation.

Who is affected by the Regulation?

Many people may think that the GDPR regulation is primarily aimed at large and multinational companies, but this is not the case, as it affects all businesses that process personal data of employees or customers, whether electronically or on paper. Personal data is anything that can be used to identify someone, other than the usual identifiers. In light of the above, almost all organisations will be affected and the likely penalties could be as high as 2-4% of annual turnover.

What can we do as an SME to comply with the Regulation?

As a general rule, we recommend answering the following questions to assess the size and complexity of the task:

  • Do you do business with individuals, do you use a webshop?
  • Do you process personal data on behalf of another company or transfer personal data to another company?
  • Do you use an access control system, biometric identification, camera surveillance?
  • Do you operate an information security system (e.g. ISO 27001)?
  • Do you have risk management, change management procedures?
  • Do you have subcontractor management procedures, contract templates?
  • Do you have a code of conduct, a policy?
  • Do you have complaint and incident handling procedures?
  • Do you have a document management policy?
  • Do you have an HR entry/exit policy?
  • What IT policies (e.g. backup, rights management, etc...) do you have?

The above list shows that GDPR compliance can be a complex task, depending on the scope and size of the organisation.
Having assessed the complexity of the task, we propose the following actions:

  1. Definition of personal data that the organisation operates with
  2. Create a data flow diagram with inputs, process steps, outputs and responsible parties
  3. Legal basis (controller or processor)
  4. Implementation of an internal data protection impact assessment
  5. Preparation and amendment of the data protection framework and related procedures
  6. Appointment of a Data Protection Officer where necessary
  7. Development of the systems concerned
  8. Internal staff training

The first four points the workshop we offer can be helpful, as we will also carry out a data flow diagram and a data protection impact assessment of the company with the participants.

We can undertake the preparation of frameworks and procedures as part of our consultancy services or group training.

How can I as an SME achieve the above?

In principle, regardless of the size of the organisation, there are two options: with the help of an external expert or consultant, or by the organisation itself. Of course, the majority of large companies tend to prefer the first option due to the complexity of the task, but for SMEs this may not be the best option.

DPO

The easier (but more expensive) solution

We therefore have the opportunity to prepare for compliance with the Regulation with the help of consultants and experts. In this case, depending on the size of the task, a small team or individual will help to define the scope of the personal data, prepare a data flow diagram of the organisation, conduct a data protection impact assessment, and prepare internal regulations and documents based on a developed action plan. As an external observer, a trained expert can also make meaningful recommendations for improving systems and addressing shortcomings. Experts who offer end-to-end solutions can even operate the process through regular audits or, if the organisation's activities so require, act as a data protection officer on a contract basis. The advantages of this solution are that it is less work for the organisation and more likely to be successful, but it is also likely to be more expensive.

SELF-COMPLIANCE

A logical question for SMEs might be that this is all well and good, but what if you don't have the resources to hire an external expert? Well, in this case, there is no other solution but to prepare for the GDPR regulation on your own. To do this, you will need colleagues who:

  • know how the organisation works,
  • have process management skills,
  • understand how IT support tools work
  • have the right legal background.

So, if the organisation creates a cross-functional team, with members who can represent each area and process, together with a corporate lawyer and a good project manager, they can be able to develop a successful solution. Of course, this is not always feasible for small businesses, where it may be the responsibility of the senior manager, CEO or owner to replace this team. In our opinion, legal support may be needed in this case, so if in-house counsel is not available or not available, it should be provided from external sources. The involvement of external lawyers is typically not inexpensive, but in our experience it is still cheaper than hiring an external consultant or expert. Of course, in such a case it is worth considering how much work this will require from the team or manager, how much time it will take away from day-to-day operational tasks, as this is also an indirect cost for the organisation. Typically, the time and cost of preparation can be greatly reduced by good, practice-oriented training or workshops, which can help to identify the tasks ahead and good practices that can often be implemented immediately. Such a programme can also minimise the cost of external expertise and legal assistance.