GDPR Compliance for SMEs – Is Everybody Up to Date?

Jul 25, 2018 12:00:00 AM | GDPR Compliance GDPR Compliance for SMEs – Is Everybody Up to Date?

 
Although it has been almost two months since the GDPR’s launch across the EU, there are still organisations that have not started working towards compliance with the new law. These are mostly small and medium enterprises (SMEs) that believe they are immune to the GDPR and the potential fines imposed as a result of data breaches. Of course, they are not. 

SMS comply GDPR 2-03-03As mentioned in our  previous blogposts, derogations exist for SMEs under the GDPR. However, in practice, the chances of not being affected are very low. SMEs should also comply with the GDPR and implement data protection into their organisational structure.
It is always better to be safe than sorry. Below we provide some suggested actions that SMEs should consider in order to comply with the GDPR smoothly.

Data Protection within SMEs

Attaining a basic understanding of data protection and privacy within an SME is the primary step. Make sure your business is aware of the utmost importance of privacy and data protection; highlight the key elements of GDPR compliance, the benefits of GDPR compliance software and the importance of legal data processing and management.

Once you establish the significance of privacy and the GDPR, your employees can then do their daily work with less risk of breaching data protection and confidentiality.
To increase engagement in GDPR, the values of data protection and privacy can be combined with entert ainment. Examples thereof include games, interactive sessions or even pub quizzes to change the attitudes of employees towards data protection.

Train your employees in GDPR

Maintain a continuous training program for employees within the organisation who are directly responsible for tasks related to privacy and data protection and update the scheme whenever a new development occurs within the field of data protection. 
Basic knowledge of GDPR concepts is needed in order to apply the GDPR properly. Explain legal concepts especially when the training program concerns people without a law education. Utilise online guides for GDPR and work with data protection companies to provide further insight to GDPR rulings and potential impact on businesses.

Identify your processing activities and designate a DPO

Identify all services that process personal data within your business and make sure that they are backed by the necessary legal grounds. 
A data mapping exercise can be useful in that sense and it requires an overview of all processing activities. Update your privacy policy to match the inventory of processing activities and ensure that all third parties involved are up-to-date with your policies and any changes you may make.
 
Designate a person with the responsibilities of the data protection policies for your organisation. If you are going to appoint an employee for this task, ensure that they have the necessary knowledge and training about GDPR and data protection.
Article 37 of the GDPR does not necessarily state that it is obligatory for organisations to appoint a Data Protection Officer but it is still good practice and highly effective.
 

Ensure Security Measures are GDPR Compliant

Implement procedures that will keep you and your processing activities secure. Article 32 of the GDPR requires the execution of technical and organisational measures that ensure a level of data security. Assess the risks and a level of security appropriate to mitigate these. Consider the latest techniques in the field like pseudonymisation and encryption of personal data. Ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.

Maintain and keep maintaining Data Management

Data protection and privacy will only be properly safeguarded when the topic is under continuous attention and scrutiny. Each time a company changes the way it handles personal data, the processing activities must be reviewed and the privacy scheme of your organisation must be explained to each new party.

The Impact of GDPR on Organisations

GDPR affects all the organisations that process personal data, which will be virtually any organisation. Even though derogations exist for some SMEs in some respects, it does not change the fact that the GDPR applies and cannot be ignored.
Implementing data privacy protection to the heart of the organisation is the key to ensure compliance with the GDPR and prevent organisations from facing excessive fines.