How are small businesses managing the GDPR?
It is over a year now since the General Data Protection Regulation (GDPR) came into force throughout the EU and the STAR II project has also been designed to understand how small and medium enterprises (SMEs) have experienced the GDPR during this period.
To find out about the SMEs’ experience of the GDPR, Trilateral Research, along with our project partners, the Hungarian National Authority for Data Protection and Freedom of Information (NAIH) and the Free University of Brussels (VUB) have now completed the STAR II landscape research work.
Based on a mix of survey and interview research methods, this research has involved over 100 European SMEs, SME associations and data protection authorities, between January and July 2019.
STAR II research found that while many SMEs are aware of the existence of the GDPR, this does not automatically translate into an understanding of the requirements of this regulation. For example, the requirement for on-going thinking around data protection sits uneasily with a desire to just “get it done” on behalf of many SMEs.
Some SMEs are experiencing fear and a lack of trust in the GDPR advice they are receiving from consultants. A big part of this lack of trust is due to the SMEs’ lack of knowledge and understanding about the GDPR, which makes it difficult for them to adequately assess whether they need the professional services and technical tools on offer.
Moreover, the lack of a mature certification and standardisation process for the GDPR does not help and puts many SMEs in an uncomfortable position when they liaise with large technology companies that provide services they may need.
However, the STAR II landscape research did find that data protection authorities have a good understanding of the challenges faced by SMEs and can offer support.
What issues do SMEs want more guidance on?
In the STAR II survey, SMEs consistently reported that they need:
- additional guidance on organisational and technical measures to assist them with GDPR compliance, and
- a range of other data protection processes and issues – such as data protection by design and by default, the grounds for processing personal data, data protection impact assessments and how to conduct a risk assessment, to name only a few.
What guidance currently exists for SMEs?
Some data protection authorities have SME-specific guidance available, see for example Ireland, the United Kingdom, Lithuania, France, Belgium, Spain, Slovenia. In addition to this support, all eighteen data protection authorities that engaged with the STAR II project can offer general guidance on specific issues relevant to SMEs.
The survey respondents were fairly positive concerning the usefulness of the guidance provided by data protection authorities but stated a clear need for more practical examples, with requirements and processes explained in simple language. The lack of these features seemed to reduce their confidence in the available guidance.
The role of SME associations
STAR II research also found that many SME associations (for example trade bodies, sectoral associations, chambers of commerce, etc.) occupy a unique space in terms of communicating to SMEs about the GDPR.
Despite operating under heavy time constraints and being preoccupied by competing priorities, including in the compliance arena, SMEs do commonly engage with such business associations, and many associations already provide GDPR advice to SMEs.
The STAR II findings should encourage data protection authorities to regularly interact with SME associations, who may be better positioned to communicate key GDPR messages to SMEs.
What next for STAR II?
The STAR II project partners will now use the insight gathered to deliver a Handbook for SMEs and a Best Practice Guide for Data Protection Authorities. The research has generated many ideas on how to make the guides innovative and avoid duplication of the guidance already available. For example, the project partners are considering whether to draft a Handbook for SMEs that is:
– ‘examples and templates based’
– a ‘myth-busting’ document
– a guide for SMEs on how to ‘sell’ the GDPR and benefit their businesses’ bottom-line
– a tool focused on how SMEs should assess risk
All these ideas will be considered before the final STAR II outputs are produced.
Trilateral’s DPO Service
Members of Trilateral’s Data Protection Services Team, who often engage with SMEs and serve as data protection officers of several organisations, have shared their own experience with STAR II.
At the same time, the STAR II research findings have informed Trilateral’s data protection services about the SMEs’ current needs, in order to enable our team to provide the latest legislative updates.
While not every SME requires a data protection officer or the purchase of advanced technologies, all of them need to assess, with or without the assistance of specialised organisations, what personal data they process. This remains the SMEs’ primary objective.
For more information on Trilateral’s data protection services visit the Trilateral Data Protection Officer page and contact our team for more insights on this research area:
Leanne Cochrane, Senior Research Analyst at Trilateral Research
David Barnard-Wills, Senior Research Manager at Trilateral Research
Filippo Marchetti, Data Protection Specialist at Trilateral Research