Your SME compliant with the GDPR: follow the guide

Did you say personal data?

What personal data does your SME process? That’s the central issue in complying with the GDPR. “Companies process more of it than they think. And that’s just the problem; lack of awareness of one’s own situation doesn’t lead to taking the proper measures,” stresses Aurélie Waeterinckx, spokesperson for the DPA, the Data Protection Authority. Regulation or not, the exercise is very interesting and worthwhile according to Cathy Habils, GDPR Lead Auditor and independent DPO. “I often ask my clients what their reaction would be if processing of their own personal data were involved. In seconds, the procedure becomes meaningful.”

A SME generally doesn’t need a DPO, but it does need a GDPR specialist.

Cathy Habils, GDPR Lead Auditor

Three primary deficiencies

After consultation with over 250 SMEs, the DPA has detected three major weaknesses in practice. The first involves the (fundamental) principle of transparency. The company is aware of its duty to inform with regard to data processing, but doesn’t communicate it, or does so poorly. “The next deficiency involves the principle of impact assessment – a compulsory tool for types of processing likely to generate high risks. Most of the SMEs questioned are aware of this without actually putting it into practice,” Waeterinckx added. Finally, only 50% of the respondents have implemented the concepts of ‘data controller’ and ‘subcontractor’ within the organization.

Misconceptions

Because it is often seen as an additional administrative obligation, too many SMEs postpone their compliance. Habils estimates that 25% of small organizations have completed the process. “SMEs too often associate GDPR procedures with insurmountable budgets and the absolute necessity for expensive outside resources. That’s not true; a SME generally doesn’t need a DPO (Data Protection Officer), but it does need a GDPR specialist, a slight difference. In a few hours, or perhaps a few days, a lot can be sorted out.”

SMEs are one of our priorities, and from now on we’re providing them with a real toolbox.

Aurélie Waeterinckx, spokesperson for the DPA

A simplified register

The DPA lists a series of secondary deficiencies: lack of knowledge of the retention periods for processed data, failure to consider the rules in advance of a project, or the lack of a register of processing activities. “Too many SMEs think that the register doesn’t apply to them. However, as soon as the processing is systematic, the GDPR requires a register.” Good news: the Data Protection Authority provides a simplified modelNew window to remedy this shortcoming.

A toolbox for SMEs

SMEs do take action with regard to the GDPR. They scan the web in search of advice, consult their sectoral organization, etc., an observation that the DPA has decided to turn into an opportunity. “SMEs are one of our priorities, and from now on we’re providing them with a real toolbox. I recommend two reference publications, the vade mecum [a manual]New window and the 13-step Action PlanNew window, practical information that is supplemented by a FAQ brochureNew window. In short, a real dashboard for SMEs.”

BOOST as support for SMEs

The objective of the BOOST project, developed by the DPA and financed by the EU, is to help micro, small and medium-sized enterprises in any sector in implementing the GDPR. This major awareness-raising activity is also an unprecedented source of information. “Among other things, we provide letter templates, disseminate information via videos, publish a newsletter and organize webinars. The latest one had 735 registrants, proof of the need in the field and the relevance of our activities,” explained the DPA spokesperson.