As part of the STAR II project, TRI has been working on better understanding how small and medium enterprises (SMEs) have coped with the GDPR, and the challenges they have faced. The project has also researched how EU data protection authorities have attempted to support SMEs and the guidance they have made available. These findings were published in our earlier report.
Since then, the project team has been working on developing two useful tools:
The first is a GDPR handbook for SMEs themselves, with the aim of pulling together practical guidance and interpretation of the law. This handbook will be freely available and published by the project later in the year, the working draft of the handbook is already available.
The second, is a report with guidance for data protection authorities on setting up dedicated contact hotlines for SMEs. This is based upon the experience of STAR II partners – NAIH – the Hungarian data protection authority in running such a hotline through the project, you can consult the draft copy of the DPA guidance.
To make sure that these tools were heading in the right direction, the project hosted a virtual workshop on 3rd of September, to discuss the issues and the draft documents with representatives from SMEs, data protection authorities, SME associations and other stakeholders.
Hielke Hijmans, from APD-GBA (the Belgian DPA) gave a keynote address for the workshop, drawing attention to the issues SMEs faced with data protection. The key issue was that citizens remained entitled to full protection even when their data is processed by the very small organisations, but that SMEs often simply did not know what they should be doing. Many had never heard of the GDPR. The GDPR does take scale into account, particularly in relation to risk-based approach, an area where the STAR II tools can be particularly helpful (the handbook includes a guide on risk-based approaches to data protection).
Some of the key issues discussed in the workshop included:
- The importance of developing the communications skills of data protection advisors at DPAs. Jelena Burnik from IP-RS (the Slovenian DPA) told us that when they were establishing their own contact hotline for SMEs they found that focusing on accessible language and soft communication skills, such as assertive listening, had positive results for better compliance.
- SME hotlines need to develop and maintain an internal knowledge base to support advisors and make sure their advice is consistent. However, it can be productive to make this knowledge base available to the public too – allowing them to self-service access to more advice and guidance, particularly for commonly asked questions. The hotline can then redirect questioners to appropriate written resources.
- In many cases, questions DPAs received from the public were not actually about data protection (e.g. consumer protection, employment conditions), suggesting that it would be a good idea to build relationships between DPAs and the other public institutions with legitimacy in those areas, to point questioners in the right direction.
- Many SMEs make use of platforms such as Facebook to engage their customers, and the data processing roles and responsibilities can be quite unclear. Understanding and clarifying the respective roles of controllers and processors is vital for SMEs, who can be in both roles in different contexts.
- Whilst certification can be challenging for SMEs, codes of conduct for particular sectors could be quite promising. While DPAs can support these efforts, the drive for this must come from the business themselves.
- The importance of DPAs working with SME associations and sectoral bodies, and DPO networks to support the work they are already doing in relation to data protection. We explored this issue in much more detail in a recent academic paper.
We’d like to thank all the workshop participants for their feedback, supportive words and advice.
The final version of the SME handbook will be available towards the end of this year.
For more information contact our team: