Getting data protection right can be a challenge for small businesses. Unlike their larger competitors, they often can’t afford a data protection specialist on staff and building new systems to manage data protection compliance can be burdensome for Small and Medium-sized Enterprises (SMEs).
It is important that SMEs become more confident in handling personal data. SMEs amount to approximately 99 percent of businesses in the European Union. They are responsible for a large share of employment and contribute substantially to economic growth. Just because a business is small in number of employees, does not mean that they won’t be handling quite sensitive personal data or large volumes of it. Whilst most SME processing of data will be common activities like customer contact lists, or employee data, others might be offering innovative new data services.
Trilateral Research is therefore pleased to announce the publication of a new book: The GDPR made simple(r) for SMEs, by Lina Jasmontaitė-Zaniewicz, Alessandra Calvi, Renáta Nagy and Trilateral’s David Barnard-Wills. This handbook is the final output of the STAR II research project. In a partnership with Vrije Universiteit Brussel and NAIH, the Hungarian data protection authority, the aims of the project were to better understand how data protection authorities could support SMEs and to produce guidance that would directly help SMEs.
The STAR II team conducted interview and survey research with SMEs, SME associations and data protection authorities to identify the key needs of SMEs with regard to data protection. The handbook is based upon this research, our own experiences and knowledge in data protection, and is written to respond to these needs. For example, we heard a strong demand for practical examples. Many SMEs knew they needed to do something about data protection but were unsure about the details of what to do. The handbook also pulls together guidance from existing sources and gives an overview of the main actors in the EU data protection world.
A key innovation of the handbook is a focus upon risk. In many ways, the GDPR is a risk-based piece of legislation. Rather than attempt to proscribe or allow specific forms of data processing, the legislation often asks data controllers to assess the risks to rights and freedoms of data subjects or to make assessments about what constitute appropriate technical and organisational measures to secure or safeguard data. These can be quite tricky assessments, so the handbook includes a dedicated section on this risk-based approach.
In her preface to the handbook, Annika Linck, EU policy manager for the European DIGITAL SME Alliance states “This handbook provides SMEs with important and clear guidance and is, therefore, a welcome initiative to accompany SMEs on the path to better and uniform GDPR compliance and application across Europe.”
For organisations with more complicated data protection needs, you can find out about Trilateral Research’s Data Governance services here. Trilateral’s data protection and cyber-risk services grow out of our cutting-edge research in safeguarding privacy and promoting data ethics.
The STAR II project (Support small and medium enterprises on the data protection reform II; 2018-2020) is co-funded by the European Union under the Rights, Equality and Citizenship Programme 2014-2020 (REC-RDAT-TRAI-AG-2017) under Grant Agreement No. 814775.
For more information about our work in this area contact our team: