Your SME compliant with the GDPR: follow the guide
Published on 24/09/2021 in Inspire
Compliance with the GDPR is mandatory for every company that processes personal data. In Belgium, this involves mostly micro, small and medium-sized enterprises. Aurélie Waeterinckx of the DPA and Cathy Habils, an independent expert, explain what an SME needs to know.
Did you say personal data?
What personal data does your SME process? That’s the central issue in complying with the GDPR. “Companies process more of it than they think. And that’s just the problem; lack of awareness of one’s own situation doesn’t lead to taking the proper measures,” stresses Aurélie Waeterinckx, spokesperson for the DPA, the Data Protection Authority. Regulation or not, the exercise is very interesting and worthwhile according to Cathy Habils, GDPR Lead Auditor and independent DPO. “I often ask my clients what their reaction would be if processing of their own personal data were involved. In seconds, the procedure becomes meaningful.”
Being compliant with GDPR regulations is an ongoing process that raises many questions. The Data Protection Authority (DPA) provides answers to common questions.
A SME generally doesn’t need a DPO, but it does need a GDPR specialist.
Cathy Habils, GDPR Lead Auditor
Three primary deficiencies
After consultation with over 250 SMEs, the DPA has detected three major weaknesses in practice. The first involves the (fundamental) principle of transparency. The company is aware of its duty to inform with regard to data processing, but doesn’t communicate it, or does so poorly. “The next deficiency involves the principle of impact assessment – a compulsory tool for types of processing likely to generate high risks. Most of the SMEs questioned are aware of this without actually putting it into practice,” Waeterinckx added. Finally, only 50% of the respondents have implemented the concepts of ‘data controller’ and ‘subcontractor’ within the organization.
Because it is often seen as an additional administrative obligation, too many SMEs postpone their compliance. Habils estimates that 25% of small organizations have completed the process. “SMEs too often associate GDPR procedures with insurmountable budgets and the absolute necessity for expensive outside resources. That’s not true; a SME generally doesn’t need a DPO (Data Protection Officer), but it does need a GDPR specialist, a slight difference. In a few hours, or perhaps a few days, a lot can be sorted out.”
Comply with the EU legislation.
SMEs are one of our priorities, and from now on we’re providing them with a real toolbox.
Aurélie Waeterinckx, spokesperson for the DPA
A simplified register
The DPA lists a series of secondary deficiencies: lack of knowledge of the retention periods for processed data, failure to consider the rules in advance of a project, or the lack of a register of processing activities. “Too many SMEs think that the register doesn’t apply to them. However, as soon as the processing is systematic, the GDPR requires a register.” Good news: the Data Protection Authority provides a simplified model to remedy this shortcoming.
A toolbox for SMEs
SMEs do take action with regard to the GDPR. They scan the web in search of advice, consult their sectoral organization, etc., an observation that the DPA has decided to turn into an opportunity. “SMEs are one of our priorities, and from now on we’re providing them with a real toolbox. I recommend two reference publications, the vade mecum [a manual] and the 13-step Action Plan, practical information that is supplemented by a FAQ brochure. In short, a real dashboard for SMEs.”
BOOST as support for SMEs
The objective of the BOOST project, developed by the DPA and financed by the EU, is to help micro, small and medium-sized enterprises in any sector in implementing the GDPR. This major awareness-raising activity is also an unprecedented source of information. “Among other things, we provide letter templates, disseminate information via videos, publish a newsletter and organize webinars. The latest one had 735 registrants, proof of the need in the field and the relevance of our activities,” explained the DPA spokesperson.
Do you have questions about your organization’s security? Talk to one of our experts.
The Data Protection Authority is an independent regulatory body whose task is to ensure respect for the basic principles of the protection of personal data. The DPA took over from the Privacy Commission on 25 May 2018.