Nowadays it is almost inconceivable to carry out any economic activity without data processing. No matter how small the business may be, the processing of personal data, including customer data, partner data or employee data, is usually a necessary part of its operations. Therefore, compliance with data protection rules, in particular the GDPR, affects a large number of micro, small and medium-sized enterprises (SMEs) across Europe (and even beyond the EU).
Although the GDPR contains some rules to make its application easier for SMEs (e.g. in relation to the obligation to keep records of data processing by organisations employing fewer than 250 persons), however, such rules only affect certain specific obligations, and on the other hand, there are also exceptions to such exceptions (e.g. SMEs employing fewer than 250 people are not exempted from record keeping if the processing carried out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data).
Therefore, the obligation to apply the GDPR also affects the vast majority of SMEs and they must make data protection compliance part of their daily operations, as they may otherwise face significant consequences, such as particularly large data protection fines.
At the same time, SMEs face challenges due to the limited resources available to them to comply with data protection requirements. This is why it is an important initiative of the European Data Protection Board (EDPB) to draw up and make available at the end of April a data protection guide specifically focused on the needs of small businesses. When it comes to data protection compliance, targeting SMEs is particularly important given that SMEs account for more than 99% of businesses in the EU (non-financial sector).
The data protection guide published by the EDPB collects the most important topics for compliance by SMEs. The guide covers, among others, the following topics:
- data protection basics,
- lawful data processing (possible legal bases),
- roles related to data processing: data controller or data processor,
- data protection rights of individuals (data subjects),
- data security,
- tasks in connection with data protection compliance and accountability (e.g. record keeping, data protection impact assessment, codes of conduct),
- rules regarding data protection officers,
- handling personal data breaches,
- data subjects' enforcement options,
- international data transfers.
The guide also provides infographics, checklists and other solutions to make compliance easier for small businesses. A very useful part of the guide is the Q&A section, where SMEs can find answers to a number of practical questions. Furthermore, the site contains materials prepared for SMEs by each supervisory authority and materials that can further assist SMEs in applying the respective data protection laws (these are, of course, typically available in the official language of the Member State where the authority operates, but in many cases an English version is also available). The guide has been prepared in English for the time being, but according to the press release of the EDPB, further language versions will follow.
