GDPR for SMEs: Benefit or Burden?
By Brodie Bavidge, Last updated: 2022-04-19 (originally published on 2020-01-16)
When the EU fully enforced the GDPR back in May of 2018, there were many speculations and doubts on the consequences, and whether or not SMEs will need to adhere to the full extent of the regulations or not. A common misconception that followed was that the GDPR was seen as a data privacy law that would only be looking into the data protection practices of big multinational enterprises. After over a year since it’s enforcement now, we are able to see the first results on the extent of how the GDPR can apply to each type of business, and what best practices businesses can turn to in order to stay aligned to the obligations. In this blog post, we look into the important points SMEs should know in regards to the GDPR and how the regulation can be turned into a benefit, rather than a burden.
The GDPR & SMEs
With the big multinational companies taking huge blows of GDPR related fines, such as Google’s €50m fine from the CNIL or the €204m fine issued to British Airways, it is a common misinterpretation that the GDPR only takes its toll on larger enterprises. On the other side of the spectrum, hefty fines on a different scale have also been issued to smaller businesses. For instance, a €400,000 fine was issued by the CNIL to real estate firm, SERGIC, and a smaller performance advertising company, QuickClickNow, has been hit by a €47,000 fine issued by the Polish Data Protection Authority.
So, after a year of the GDPR, what are the key measures for SMEs and the GDPR?
A research conducted by the GDPR.EU in May 2019, looked into how prepared SMEs were in Spain, the United Kingdom, France and Ireland for the GDPR. The research showed that around half of the SMEs in these markets were not GDPR compliant on two crucial requirements: describing data processing activities in a clear, understandable language to data subjects, and identifying a lawful basis for using someone’s data. The research also found that 27% of SMEs had spent around €1,000 on compliance efforts, 24% had spent around €10,000 but 10% had not spent any money at all. Most of the SMEs that had invested into their compliance efforts expressed that this investment did not dampen their growth, instead, has made the organisations more confident in their data handling.
The must-knows for SMEs on the GDPR
The GDPR does not necessarily have a “small business exemption” as SMEs with more than 250 employees must abide to the GDPR just as other larger companies would. However, the GDPR does point a few differences for SMEs with less than 250 employees. It is important to note that this does not make the business exempt from all other aspects that has been set out in the GDPR. Below are some of the key points in regards to the differences:
• Companies with less than 250 employees do not have to keep records of their processing activities unless the processing of personal data is a regular occurance/activity, poses a potential threat to individuals’ rights and freedoms, or includes sensitive data or criminal records.
• SMEs large and small are required to appoint a Data Protection Officer only if processing is their main business and it may also pose threats to an individuals’ rights and freedoms. An example could be monitoring individuals or processing sensitive data or criminal records in particular as it is done on a large scale.
• As mentioned earlier in the blogpost, a study revealed that often times SMEs have trouble identifying legal bases and as a result, overlook the importance of knowing one when it comes to processing data. Taking time to look through the legal bases is a must for all data driven SMEs.
Importance of Embedding the GDPR into an SMEs culture
Taking the necessary steps to ensure a much more data privacy oriented work ethic is vital for SMEs. Businesses should be aware of the responsibility they have that has been set out in the GDPR. The perception of the GDPR being another safeguard/obstacle that the company should get over should be changed. Instead, the GDPR could be seen as a key influence on corporate identity and a helpful push to becoming more conscious of data protection and privacy.
Just to give a few examples, numerous benefits on business growth has been shown for businesses that consciously invest into their efforts of complying with the regulation. In fact, research has shown that businesses who show a significant amount of transparency to consumers get a significant amount of trust in return. Below are some of the top benefits GDPR can bring for SMEs.
Target marketing is done more effectively
One of the key requirements of the GDPR is that businesses who collect personal data from individuals must have specific opt-in consent from individuals, for companies to store and collect such data. A specific opt-in consent is also needed for companies who want to use such data. This consent must also clearly lay out why such data is needed, just as it must lay out what it is being used for. Despite it likely being a lengthy process, this can be seen as an opportunity to be more focused with marketing strategies. By taking the necessary steps to ensure consent and transparency on the data that is being collected/used from customers, you will have the chance to experiment with tailoring your message to specific needs of the audience which may result in higher engagement, higher trust, and an overall higher opportunity to grow.
Strong structured data management
Building an overall trust and strong relationship with customers
We see that the GDPR is something to be embedded into the culture by companies large and small, as the need to ensure data privacy continues, companies must also keep up with requirements and make necessary adaptations. Not only should the GDPR be seen as a push to further data transparency, but it should be seen as a push to encourage a data privacy culture in the workplace.
This article does not constitute legal advice.
The opinions expressed in the column above represent the author’s own.
Written by Brodie Bavidge of PrivacyPerfect. PrivacyPerfect is one of the first high-end privacy compliance software providers on the market.
Article syndicated with permission from https://blog.privacyperfect.com/gdpr-for-smes-key-points
PrivacyPerfect is a renowned legal-tech organisation headquartered in The Netherlands, providing privacy compliance solutions to an international market successfully for nearly a decade now.
They provide our clients with a proven software solution for easy GDPR compliance, that simplifies privacy related tasks and makes the regulatory compliance process easier and smoother. Their high-end software provides a solution for all primary data privacy needs, empowering privacy professionals worldwide with built-in smart automation, to perform their tasks easier, quicker, more accurately, and more efficiently.
They believe in the people-process-technology methodology, and keep this on top of mind in everything they do, from product development, through our sales efforts, to client management.